CVE-2025-47478: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-47478) was discovered in Metagauss ProfileGrid WordPress plugin affecting versions up to 5.9.5.0. The vulnerability was reported by Trương Hữu Phúc and disclosed on May 12, 2025. This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) with a CVSS v3.1 base score of 8.5 (HIGH) (Patchstack, NVD).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L. The exploitation requires Subscriber level privileges, allowing malicious actors to directly interact with the database (Patchstack, Wiz).

This vulnerability is considered highly dangerous and expected to become mass exploited. It could allow attackers to interact directly with the database, potentially leading to unauthorized access to sensitive information (Patchstack).

Users are advised to update to version 5.9.5.1 or later immediately to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to a fixed version (Patchstack).