How is CVE-2026-12073 exploited?

Network reachability (required): The attacker must reach the WordPress registration endpoint over the network; no local or physical access is needed. Authentication (not-required): No account or credentials of any kind are needed; the attack is available to any unauthenticated HTTP client. Victim interaction (not-required): The attacker manipulates the registration form directly; no action by any logged-in user is required to complete the takeover. Attack complexity (info): Exploitation is reliable and condition-free: the attacker only needs to send crafted registration requests, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-12073?

Attacker overwrites the email address of the site's primary administrator account (user ID 1) and resets its password, gaining full admin-level access to the WordPress dashboard. With admin access, the attacker can read all stored user data, private content, and any credentials or API keys stored in the site's settings. The attacker can install or modify plugins and themes, injecting persistent backdoors or malicious code into the site. The attacker can delete content, modify database records, or take the site fully offline, causing complete service disruption.

Back to search

CRITICALCVE-2026-12073Published 2026-06-30Modified 2026-06-30CNA Wordfence

CVE-2026-12073: ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite

Q: What is CVE-2026-12073?

This is a privilege escalation via account takeover vulnerability in the ProfileGrid plugin for WordPress (versions up to and including 5.9.9.5). An unauthenticated attacker reachable over the network can exploit missing validation on registration forms to overwrite the email address of the WordPress administrator account (user ID 1), then trigger a standard password reset to gain full admin access. Successful exploitation gives the attacker complete control over the WordPress site with no credentials required. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-12073 patched?

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation via account takeover vulnerability in the ProfileGrid plugin for WordPress (versions up to and including 5.9.9.5). An unauthenticated attacker reachable over the network can exploit missing validation on registration forms to overwrite the email address of the WordPress administrator account (user ID 1), then trigger a standard password reset to gain full admin access. Successful exploitation gives the attacker complete control over the WordPress site with no credentials required. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the ProfileGrid plugin. Any image containing an affected version of the plugin is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 (Critical) and weights it against each customer organization's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress registration endpoint over the network; no local or physical access is needed.
AuthenticationNot required
No account or credentials of any kind are needed; the attack is available to any unauthenticated HTTP client.
Victim interactionNot required
The attacker manipulates the registration form directly; no action by any logged-in user is required to complete the takeover.
Attack complexityDetail
Exploitation is reliable and condition-free: the attacker only needs to send crafted registration requests, with no race conditions or special environmental factors required.

Blast Radius

Attacker overwrites the email address of the site's primary administrator account (user ID 1) and resets its password, gaining full admin-level access to the WordPress dashboard.
With admin access, the attacker can read all stored user data, private content, and any credentials or API keys stored in the site's settings.
The attacker can install or modify plugins and themes, injecting persistent backdoors or malicious code into the site.
The attacker can delete content, modify database records, or take the site fully offline, causing complete service disruption.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-12073 at this time, the platform monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once the ProfileGrid maintainer publishes a remediated version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual steps the moment a fix version is detected. In the interim, compensating controls worth considering include network-policy rules that restrict public access to WordPress registration endpoints, web application firewall rules that block manipulation of the user_login parameter on registration forms, and disabling open registration on affected WordPress instances if the feature is not required. Teams should treat any image containing ProfileGrid version 5.9.9.5 or earlier as carrying critical risk until an upstream patch is available.

See how HarborGuard automates this

Affected packages

metagauss / ProfileGrid – User Profiles, Groups and Communities
≤ 5.9.9.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified