CVE-2019-15873
HIGHProfileGrid < 2.8.6 - Remote Code Execution via pm_template_preview Action
Title source: manualDescription
The profilegrid-user-profiles-groups-and-communities plugin before 2.8.6 for WordPress has remote code execution via an wp-admin/admin-ajax.php request with the action=pm_template_preview&html=<?php substring followed by PHP code.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9086
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/profilegrid-user-profiles-groups-and-communities/#developers
Scores
CVSS v3
8.8
EPSS
0.0388
EPSS Percentile
88.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
metagauss/profilegrid
< 2.8.6
Published
Sep 03, 2019
Tracked Since
Feb 18, 2026