CVE-2025-49033: 
WordPress vulnerability analysis and mitigation

The ProfileGrid WordPress plugin contains an SQL Injection vulnerability (CVE-2025-49033) discovered in versions up to and including 5.9.5.3. The vulnerability was reported on June 13, 2025, and publicly disclosed on July 24, 2025. This security issue affects the ProfileGrid - User Profiles, Groups and Communities plugin for WordPress (Patchstack, Rapid7).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. The issue has been assigned a CVSS score of 8.5 (High severity), with attack vector metrics of AV:N/AC:L/Au:S/C:C/I:N/A:N. This indicates a network-accessible vulnerability with low attack complexity requiring single authentication for complete confidentiality impact (Rapid7).

The vulnerability allows authenticated attackers with subscriber-level access or higher to append additional SQL queries to existing queries. This capability enables malicious actors to extract sensitive information from the database, potentially compromising the confidentiality of stored data (Patchstack).

The vulnerability has been patched in version 5.9.5.4 of the ProfileGrid plugin. Users are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).