CVE-2026-12073: Critical Account Takeover in WordPress ProfileGrid Plugin

"A critical flaw (CVSS 9.8) in the ProfileGrid plugin for WordPress lets unauthenticated attackers hijack the site administrator's account by changing their email and resetting their password."

A critical flaw (CVSS 9.8) in the ProfileGrid plugin for WordPress lets unauthenticated attackers hijack the site administrator's account by changing their email and resetting their password.

What Is It

CVE-2026-12073 is a privilege escalation vulnerability via account takeover in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, developed by metagauss. The flaw exists because the plugin does not validate a user_login value on registration forms that omit this parameter, and it does not properly handle the resulting error messages. As a result, an unauthenticated attacker can change the email address of the user account with ID=1, typically the administrator, then trigger a password reset and take over that account. The issue is classified as CWE-639 (Authorization Bypass Through User-Controlled Key).

Why It Matters

With a CVSS 3.1 base score of 9.8 (CRITICAL) and a vector of AV:N/AC:L/PR:N/UI:N, this vulnerability is remotely exploitable over the network with low complexity, requires no privileges, and needs no user interaction. The confidentiality, integrity, and availability impacts are all rated HIGH. Because the attack targets the account with ID=1, usually the primary administrator, a successful exploit hands an attacker full control of the affected WordPress site.

What's Vulnerable

Vendor: metagauss
Product: ProfileGrid – User Profiles, Groups and Communities (WordPress plugin)
Affected versions: All versions up to and including 5.9.9.5

Patch Status

A code change addressing this issue was committed to the WordPress plugin repository (changeset 3578435). Administrators running ProfileGrid should update to a version newer than 5.9.9.5. The supplied CISA KEV data contains no entry for this CVE, so there is no confirmation of active exploitation in the provided sources.

Sources

WordPress Plugin Trac Changeset 3578435; https://plugins.trac.wordpress.org/changeset/3578435/
Wordfence Threat Intelligence; https://www.wordfence.com/threat-intel/vulnerabilities/id/2d35279d-299e-4ca2-8f84-165284e058c8?source=cve