CVE-2025-6977 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, developed by metagauss. This vulnerability exists in all versions up to and including 5.9.5.4. The root cause is insufficient input sanitization and output escaping in the 'pm_get_messenger_notification' function. An unauthenticated attacker can exploit this flaw by crafting a malicious URL or payload that injects arbitrary JavaScript code into web pages. When a logged-in user clicks on such a crafted link or performs a related action, the injected script executes in the context of the victim's browser session. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1 (medium severity), reflecting a network attack vector with low attack complexity, no privileges required, but requiring user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked yet. However, given the widespread use of WordPress and the popularity of ProfileGrid for managing user profiles and communities, this vulnerability poses a tangible risk to websites relying on this plugin. Attackers can leverage this to target logged-in users, potentially including administrators, to execute malicious scripts that compromise confidentiality and integrity of user data and sessions.

For European organizations, the impact of this vulnerability can be significant, especially for those using WordPress sites with the ProfileGrid plugin to manage user communities, memberships, or customer portals. Successful exploitation can lead to theft of user credentials, session tokens, or personal data, violating GDPR requirements for data protection and privacy. It can also enable attackers to perform unauthorized actions on behalf of users, potentially leading to data manipulation or service disruption. Organizations in sectors such as e-commerce, education, healthcare, and government that rely on community engagement platforms are particularly at risk. The reflected XSS nature means that phishing or social engineering campaigns could be used to trick users into clicking malicious links, increasing the attack surface. Additionally, compromised user accounts could be leveraged for further lateral attacks within the organization’s network or to spread malware. The medium severity score indicates a moderate but non-negligible risk, especially given the ease of exploitation (no authentication needed) and the potential for scope escalation.

1. Immediate mitigation should include disabling or restricting access to the vulnerable 'pm_get_messenger_notification' functionality until a patch is available. 2. Apply strict input validation and output encoding on all user-controllable inputs, particularly those processed by the vulnerable function. 3. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 4. Educate users and administrators to be cautious about clicking on suspicious links, especially those received via email or messaging platforms. 5. Monitor web server logs and application logs for unusual URL patterns or repeated attempts to exploit XSS. 6. Regularly update the ProfileGrid plugin to the latest version once the vendor releases a patch addressing this vulnerability. 7. Employ Web Application Firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting the plugin’s endpoints. 8. Conduct security audits and penetration testing focused on user input handling in the affected plugin to identify any additional weaknesses. 9. For organizations with high-risk profiles, consider isolating the WordPress environment or using containerization to limit potential damage from exploitation.