Unrated severityNVD Advisory· Published Nov 20, 2024· Updated Apr 8, 2026

ProfileGrid – User Profiles, Groups and Communities <= 5.9.3.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Deletion

CVE-2024-10900

Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_remove_file_attachment() function in all versions up to, and including, 5.9.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary user meta which can do things like deny an administrator's access to their site. .

Affected products

Metagauss/Profilegridllm-fuzzy
Range: <=5.9.3.6
metagauss/ProfileGrid – User Profiles, Groups and Communitiesv5
Range: 0
WordPress/Profilegridwp-canonicalize

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000