CVE-2026-57759
Metagauss · ProfileGrid
An unauthenticated Cross-Site Request Forgery (CSRF) vulnerability exists in the ProfileGrid plugin, allowing attackers to perform actions on behalf of users without their consent.
Executive summary
An unauthenticated CSRF vulnerability in the Metagauss ProfileGrid plugin poses a significant risk by allowing attackers to force unauthorized actions on the application.
Vulnerability
This is an unauthenticated CSRF vulnerability, meaning an attacker does not need an active session to initiate an attack. By tricking an authenticated user into visiting a malicious site, the attacker can force the victim's browser to execute unintended actions within the ProfileGrid environment.
Business impact
Exploitation of this CSRF flaw could lead to unauthorized profile modifications, unauthorized account settings changes, or other administrative actions depending on the target's privileges. With a CVSS score of 8.8, the ability to trigger these actions without authentication significantly increases the attack surface for all organizations using this plugin.
Remediation
Immediate Action: Update the ProfileGrid plugin to the latest version as soon as the vendor patch is available.
Proactive Monitoring: Monitor server logs for suspicious requests originating from external referrers that attempt to invoke sensitive plugin functions.
Compensating Controls: Use a Web Application Firewall (WAF) to detect and block suspicious cross-site requests that lack proper anti-CSRF tokens.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability is particularly dangerous because it does not require the attacker to have an existing account. We strongly recommend immediate patching and advise users to avoid interacting with untrusted sites while logged into the application until the update is applied.