CVE-2026-1271 is a security vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. The vulnerability exists in all versions up to and including 5.9.7.2. It stems from the update_user_meta() function being invoked outside of proper authorization checks within the AJAX actions 'pm_upload_image' and 'pm_upload_cover_image', located in public/partials/crop.php and public/partials/coverimg_crop.php. This flaw allows any authenticated user with at least Subscriber-level privileges to modify the profile picture or cover image of any other user, including administrators, bypassing intended access controls. The vulnerability does not require elevated privileges beyond Subscriber and does not need additional user interaction. The impact is limited to integrity, as attackers can alter profile images but cannot access or modify other sensitive data or disrupt service availability. The CVSS 3.1 base score is 5.3, reflecting a medium severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on integrity only. No public exploits are known at this time, but the vulnerability could be leveraged for social engineering or impersonation attacks within WordPress communities using this plugin.

The primary impact of this vulnerability is on the integrity of user profile data within WordPress sites using the ProfileGrid plugin. Attackers with Subscriber-level access can change profile and cover images of any user, including administrators, potentially enabling impersonation or social engineering attacks. This could undermine trust within communities or organizations relying on these profiles for identity verification. While the vulnerability does not expose sensitive data or allow privilege escalation, the ability to alter administrator profile images could be leveraged to confuse or mislead users, potentially facilitating further attacks. The scope is limited to WordPress sites using this specific plugin, but given WordPress's widespread adoption, a significant number of sites could be affected. The vulnerability does not affect confidentiality or availability, and exploitation does not require user interaction, making it relatively easy to exploit once authenticated. However, since authentication is required, the risk is mitigated by the site's user registration and access policies.

To mitigate this vulnerability, organizations should immediately update the ProfileGrid plugin to a version where this issue is patched once available. In the absence of an official patch, administrators can implement temporary workarounds such as restricting the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions to higher privilege roles only, or disabling these actions entirely if not needed. Reviewing and hardening user role permissions to limit Subscriber-level access or implementing stricter user registration controls can reduce the attack surface. Additionally, monitoring user profile changes and implementing alerts for unexpected modifications to administrator profiles can help detect exploitation attempts. Web application firewalls (WAFs) can be configured to block suspicious AJAX requests targeting these endpoints. Finally, educating users and administrators about the risk of profile impersonation can help mitigate social engineering risks stemming from this vulnerability.