CVE-2025-49876: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability was discovered in Metagauss ProfileGrid WordPress plugin, identified as CVE-2025-49876. The vulnerability affects versions up to and including 5.9.5.2. The issue was first reported on May 28, 2025, and was publicly disclosed on July 10, 2025. The vulnerability received a CVSS v3.1 base score of 8.5 (High) (Patchstack).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries in the ProfileGrid plugin. This SQL injection vulnerability (CWE-89) allows authenticated users with subscriber-level access or higher to append additional SQL queries to existing ones. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, indicating network accessibility, low attack complexity, and requiring low privileges (Rapid7, Patchstack).

The vulnerability allows attackers to extract sensitive information from the database. Due to its high CVSS score of 8.5, this vulnerability is considered highly dangerous and is expected to become mass exploited. The impact primarily affects data confidentiality, with potential for information disclosure from the WordPress database (Patchstack).

Users are strongly advised to update to version 5.9.5.3 or later, which contains the fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).