CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-12073

criticalCVSS 9.8covered by 1 sourcefirst seen 2026-06-30
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a user_login on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account.

⚡ Watch CVE-2026-12073

Get an email if CVE-2026-12073 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-12073

CVE.org record

Embed the live status

CVE-2026-12073 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-12073 status](https://www.csirts.com/badge/CVE-2026-12073)](https://www.csirts.com/cve/CVE-2026-12073)