CVE-2026-11359 in ProfileGrid Plugininfo

Summary

by MITRE • 07/09/2026

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the pg_install_profilegrid() AJAX handler registered via wp_ajax_pg_install_profilegrid. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the ProfileGrid plugin from wordpress.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability exists within the Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress, specifically affecting versions up to and including 3.4. The flaw stems from insufficient access control mechanisms that fail to properly validate user permissions before executing sensitive operations. An authenticated attacker with subscriber-level privileges or higher can exploit this weakness to install and activate the ProfileGrid plugin through a vulnerable AJAX handler without proper authorization checks.

The technical implementation of the vulnerability resides in the pg_install_profilegrid() function which lacks both capability verification and nonce validation. This AJAX endpoint is registered using wp_ajax_pg_install_profilegrid, making it accessible to any authenticated user who can trigger the corresponding AJAX request. The absence of capability checks means that users at the subscriber level or above can perform plugin installation actions that should typically be restricted to administrators or users with elevated privileges.

The operational impact of this vulnerability allows attackers to escalate their privileges within the WordPress environment by installing potentially malicious plugins. Once installed, the ProfileGrid plugin could provide additional attack vectors through its own vulnerabilities or functionality. This creates a persistent threat vector that remains active as long as the compromised user account remains valid, enabling attackers to maintain access and potentially expand their control over the affected WordPress installation.

The vulnerability aligns with CWE-863, which describes "Incorrect Authorization" where a system fails to properly enforce access controls. From an ATT&CK perspective, this represents a privilege escalation technique under T1078 Valid Accounts, as attackers leverage legitimate user accounts to gain elevated privileges through unauthorized plugin installations. The attack chain involves initial access through a compromised subscriber account followed by privilege escalation via unauthorized plugin management capabilities.

Mitigation strategies should include immediate plugin updates to versions that address the capability and nonce validation gaps. Administrators should implement proper role-based access controls and regularly audit user permissions to prevent unauthorized installations. Additional protective measures include monitoring AJAX requests for unusual plugin installation patterns, implementing network-level restrictions on plugin installation endpoints, and maintaining up-to-date security plugins that can detect and block such unauthorized operations. The recommended approach also involves conducting regular security audits of all installed plugins to identify similar authorization flaws across the WordPress ecosystem.

Responsible

Wordfence

Reservation

06/05/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!