CVE-2026-57759

Metagauss · ProfileGrid

An unauthenticated Cross-Site Request Forgery (CSRF) vulnerability exists in the ProfileGrid plugin, allowing attackers to perform actions on behalf of users without their consent.

Executive summary

An unauthenticated CSRF vulnerability in the Metagauss ProfileGrid plugin poses a significant risk by allowing attackers to force unauthorized actions on the application.

Vulnerability

This is an unauthenticated CSRF vulnerability, meaning an attacker does not need an active session to initiate an attack. By tricking an authenticated user into visiting a malicious site, the attacker can force the victim's browser to execute unintended actions within the ProfileGrid environment.

Business impact

Exploitation of this CSRF flaw could lead to unauthorized profile modifications, unauthorized account settings changes, or other administrative actions depending on the target's privileges. With a CVSS score of 8.8, the ability to trigger these actions without authentication significantly increases the attack surface for all organizations using this plugin.

Remediation

Immediate Action: Update the ProfileGrid plugin to the latest version as soon as the vendor patch is available.

Proactive Monitoring: Monitor server logs for suspicious requests originating from external referrers that attempt to invoke sensitive plugin functions.

Compensating Controls: Use a Web Application Firewall (WAF) to detect and block suspicious cross-site requests that lack proper anti-CSRF tokens.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability is particularly dangerous because it does not require the attacker to have an existing account. We strongly recommend immediate patching and advise users to avoid interacting with untrusted sites while logged into the application until the update is applied.