CVE-2025-26999
Published: 03 March 2025
Summary
CVE-2025-26999 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26999 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Metagauss ProfileGrid WordPress plugin, known as profilegrid-user-profiles-groups-and-communities. The flaw enables Object Injection and affects all versions of the plugin from n/a through 5.9.4.3 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An authenticated attacker with low privileges (PR:L), such as a standard WordPress user, can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to arbitrary code execution or other severe consequences via the object injection mechanism.
The Patchstack advisory provides further details on this PHP Object Injection vulnerability in ProfileGrid version 5.9.4.3, available at https://patchstack.com/database/Wordpress/Plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-plugin-5-9-4-3-php-object-injection-vulnerability?_s_id=cve. Security practitioners should consult this reference for mitigation guidance, such as updating to a patched version if available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5598
Vulnerability details
Deserialization of Untrusted Data vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Object Injection.This issue affects ProfileGrid : from n/a through <= 5.9.4.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization/object injection vulnerability in public-facing WordPress plugin enables remote exploitation by authenticated low-priv users leading to arbitrary code execution (T1190) and privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly patches the deserialization of untrusted data vulnerability in ProfileGrid versions through 5.9.4.3, preventing object injection exploitation.
Information input validation ensures untrusted data is checked before deserialization, directly mitigating the object injection mechanism exploited by low-privilege authenticated attackers.
Vulnerability monitoring and scanning identifies the presence of CVE-2025-26999 in the ProfileGrid plugin, enabling timely patching to prevent exploitation.