CVE-2025-6977 is a reflected Cross-Site Scripting vulnerability identified in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, affecting all versions up to and including 5.9.5.4. The vulnerability arises from insufficient sanitization and escaping of user-supplied input in the ‘pm_get_messenger_notification’ function, which is responsible for generating messenger notification content. Because the input is not properly neutralized, an attacker can craft a malicious URL containing executable JavaScript code. When a logged-in user clicks this URL, the injected script executes in their browser within the context of the vulnerable site. This can lead to theft of session cookies, unauthorized actions performed on behalf of the user, or redirection to malicious sites. The attack requires no authentication on the attacker’s part but does require user interaction, specifically clicking a malicious link. The vulnerability has a CVSS 3.1 base score of 6.1, indicating medium severity, with an attack vector over the network, low attack complexity, no privileges required, but user interaction necessary. The scope is changed as the vulnerability affects user sessions and potentially other users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. Given the widespread use of WordPress and the popularity of ProfileGrid for managing user profiles and communities, this vulnerability poses a tangible risk to websites relying on this plugin for user interaction and messaging features.

The primary impact of CVE-2025-6977 is the compromise of user confidentiality and integrity on affected WordPress sites using the ProfileGrid plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of logged-in users, potentially leading to session hijacking, theft of sensitive information such as cookies or tokens, and unauthorized actions performed on behalf of users. This can result in account takeover, data leakage, and reputational damage to organizations. Since the vulnerability requires user interaction, the attack surface is somewhat limited but still significant, especially for sites with large active user bases. The vulnerability does not affect availability directly but can indirectly cause service disruption if exploited at scale or combined with other attacks. Organizations hosting communities, social networks, or membership sites with ProfileGrid are at risk of targeted phishing campaigns leveraging this flaw. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once details are public. Overall, the medium severity rating reflects a moderate but actionable risk that can lead to serious security incidents if left unmitigated.

To mitigate CVE-2025-6977, organizations should first check for updates or patches from the ProfileGrid plugin vendor and apply them promptly once available. In the absence of an official patch, administrators can implement input validation and output encoding at the application or web server level to neutralize malicious input targeting the ‘pm_get_messenger_notification’ function. Disabling or restricting access to the vulnerable function or related messaging features temporarily can reduce exposure. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious query parameters or script injection attempts targeting this plugin is recommended. Educating users to avoid clicking on unsolicited or suspicious links can reduce the likelihood of successful exploitation. Additionally, monitoring logs for unusual URL patterns or user behavior indicative of XSS attempts can help detect exploitation attempts early. Regular security audits and penetration testing focusing on plugin vulnerabilities should be part of ongoing security hygiene. Finally, consider isolating or sandboxing user-generated content areas to limit the impact of potential script execution.