CVE-2026-57697

Metagauss · ProfileGrid

The ProfileGrid WordPress plugin contains an authentication bypass vulnerability that allows unauthenticated attackers to manipulate the password recovery process.

Executive summary

A critical authentication bypass flaw in the Metagauss ProfileGrid plugin could allow unauthenticated attackers to compromise user accounts via the password recovery mechanism.

Vulnerability

The plugin is susceptible to an "Authentication Bypass Using an Alternate Path or Channel" (CWE-288). This allows an unauthenticated attacker to interact with the password recovery functionality to gain unauthorized access or control over user profiles.

Business impact

This vulnerability poses a significant risk to site integrity and user data privacy. By bypassing authentication, attackers could take over administrative or user accounts, leading to unauthorized data access, potential site defacement, or the escalation of privileges. With a CVSS score of 7.5, this high-severity vulnerability requires immediate attention to prevent account takeover campaigns.

Remediation

Immediate Action: Review your WordPress installation and ensure the ProfileGrid plugin is updated to the latest available version beyond 5.9.9.6. If a patch is not yet available, consider temporarily deactivating the plugin until a secure update is provided.

Proactive Monitoring: Monitor access and authentication logs for unusual password reset requests or unauthorized login attempts targeting administrative accounts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious traffic patterns directed at the password recovery endpoint.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

The severity of this authentication bypass necessitates prompt action. Administrators should verify their plugin version immediately and apply all available security updates. Given the potential for total account compromise, prioritize this task in your current maintenance cycle.