CVE-2026-57759 HIGH

CVE-2026-57759: WordPress ProfileGrid plugin <= 5.9.9.7 - CSRF to Account Takeover vulnerability

Vendor Metagauss
Product ProfileGrid
Weakness CWE-352 · CSRF
Published July 2, 2026
Last update July 2, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid <= 5.9.9.7 versions.

Explanation of Vulnerability in Simple Terms

02Summary

ProfileGrid versions up to 5.9.9.7 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. An attacker can craft a malicious link or page that, when visited by a logged-in site administrator or user, executes unwanted operations without their knowledge or consent. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on behalf of a logged-in user, such as modifying settings, creating accounts, or deleting data.

Potential impact on your site

04Site Impact

Administrators and users can be tricked into performing harmful actions; attackers may modify site configuration, user data, or content without direct access.

Conditions required to exploit

05Prerequisites

A logged-in site user must visit a malicious link or page controlled by the attacker.

Key dates

06Disclosure timeline

July 2, 2026 CVE published