The ProfileGrid WordPress plugin suffers from a missing capability check (CWE-862) in the pm_upload_cover_image function, which permits authenticated users with subscriber or higher privileges to delete attachments. This vulnerability exists in all versions up to 5.8.3 and can be exploited remotely over the network without user interaction. The CVSS 3.1 base score is 4.3, reflecting low complexity and limited impact confined to integrity.

An attacker with subscriber-level access or higher can delete attachments without proper authorization, leading to unauthorized data modification (integrity impact). There is no impact on confidentiality or availability according to the CVSS vector. This could disrupt user content or site data managed by the plugin but does not allow data disclosure or denial of service.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level permissions if possible or monitor for suspicious deletion activity related to attachments. Avoid granting unnecessary privileges to authenticated users. Follow updates from the plugin vendor or WordPress security channels for patch releases.