CVE-2026-11359 PUBLISHED

Memberships and User Profiles for WooCommerce <= 3.4 - Missing Authorization to Authenticated (Subscriber+) ProfileGrid Plugin Installation and Activation

Assigner: Wordfence
Reserved: 05.06.2026 Published: 09.07.2026 Updated: 09.07.2026

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the pg_install_profilegrid() AJAX handler registered via wp_ajax_pg_install_profilegrid. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the ProfileGrid plugin from wordpress.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Product Status

Vendor metagauss
Product Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration
Versions Default: unaffected
  • affected from 0 to 3.4 (incl.)

Credits

  • John finder

References

Problem Types

  • CWE-862 Missing Authorization CWE