CVE-2026-11359
Received Received - Intake

Unauthorized Plugin Installation in ProfileGrid for WooCommerce

Vulnerability report for CVE-2026-11359, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the pg_install_profilegrid() AJAX handler registered via wp_ajax_pg_install_profilegrid. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the ProfileGrid plugin from wordpress.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
profilegrid woocommerce_integration to 3.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress, versions up to and including 3.4. It allows authenticated users with Subscriber-level access or higher to install and activate the ProfileGrid plugin without proper authorization.

This happens because the AJAX handler pg_install_profilegrid() lacks a capability check and nonce validation, which are security measures that should prevent unauthorized actions.

Impact Analysis

An attacker with at least Subscriber-level access can exploit this vulnerability to install and activate a plugin (ProfileGrid) without permission. This could lead to unauthorized changes to the WordPress environment.

While the vulnerability does not directly compromise confidentiality or availability, it can lead to integrity issues by allowing unauthorized plugin installation and activation, potentially enabling further malicious actions.

Mitigation Strategies

To mitigate this vulnerability, you should update the Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin to a version later than 3.4 where the issue is fixed.

Additionally, restrict Subscriber-level users from accessing plugin installation or activation features until the update is applied.

Consider monitoring and limiting AJAX requests to the wp_ajax_pg_install_profilegrid handler to prevent unauthorized plugin installation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart