A security vulnerability has been detected, allowing threat actors to perform Reflected XSS attacks in the ProfileGrid WordPress plugin, which offers features such as creating and managing user groups on WordPress websites. A Reflected XSS attack is carried out by injecting malicious scripts directly into an HTTP request by threat actors and executing them in the target user’s browser.
The vulnerability, tracked as CVE-2022-3578, is caused by the ProfileGrid WordPress plugin insufficiently clearing parameters sent to the page in versions before 5.1.1. As a result, a remote threat actor can direct users to open a malicious link, and they can execute arbitrary HTML code and script in the user’s browser in the context of the vulnerable website.
In order not to be the target of attacks that can be carried out using the security vulnerability in question, it is recommended to immediately upgrade the vulnerable ProfileGrid versions to the current versions (5.1.1) that fix the vulnerability.