CVE-2026-2488: CWE-862 Missing Authorization in metagauss ProfileGrid – User Profiles, Groups and Communities
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter).
AI Analysis
Technical Summary
CVE-2026-2488 is a missing authorization vulnerability (CWE-862) in the ProfileGrid – User Profiles, Groups and Communities WordPress plugin. The vulnerability arises from the pg_delete_msg() function failing to verify user permissions before allowing message deletion. Authenticated users with Subscriber-level privileges or higher can exploit this flaw by sending a direct request with a valid message ID to delete arbitrary messages of other users. This issue affects all plugin versions up to 5.9.8.1. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting a network attack vector, low attack complexity, and requiring low privileges with no user interaction. The impact is limited to integrity loss (unauthorized message deletion) without confidentiality or availability impact. No known exploits in the wild or vendor patches have been reported as of the publication date.
Potential Impact
An attacker with at least Subscriber-level access can delete messages belonging to other users without authorization, resulting in unauthorized modification of data (integrity impact). There is no direct impact on confidentiality or availability. This could disrupt user communications or cause loss of message data within the affected plugin environment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting Subscriber-level access or disabling the ProfileGrid messaging feature if feasible. Monitoring for suspicious message deletions may help detect exploitation attempts. Avoid granting unnecessary privileges to users to reduce risk.
CVE-2026-2488: CWE-862 Missing Authorization in metagauss ProfileGrid – User Profiles, Groups and Communities
Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2488 is a missing authorization vulnerability (CWE-862) in the ProfileGrid – User Profiles, Groups and Communities WordPress plugin. The vulnerability arises from the pg_delete_msg() function failing to verify user permissions before allowing message deletion. Authenticated users with Subscriber-level privileges or higher can exploit this flaw by sending a direct request with a valid message ID to delete arbitrary messages of other users. This issue affects all plugin versions up to 5.9.8.1. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting a network attack vector, low attack complexity, and requiring low privileges with no user interaction. The impact is limited to integrity loss (unauthorized message deletion) without confidentiality or availability impact. No known exploits in the wild or vendor patches have been reported as of the publication date.
Potential Impact
An attacker with at least Subscriber-level access can delete messages belonging to other users without authorization, resulting in unauthorized modification of data (integrity impact). There is no direct impact on confidentiality or availability. This could disrupt user communications or cause loss of message data within the affected plugin environment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting Subscriber-level access or disabling the ProfileGrid messaging feature if feasible. Monitoring for suspicious message deletions may help detect exploitation attempts. Avoid granting unnecessary privileges to users to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-13T21:00:10.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ac8b60c48b3f10ffc6f686
Added to database: 3/7/2026, 8:32:32 PM
Last enriched: 4/9/2026, 6:42:05 PM
Last updated: 4/21/2026, 3:34:45 PM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.