ProfileGrid WooCommerce Integration Unauthorized Plugin Installation Vulnerability
The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the pg_install_profilegrid() AJAX handler registered via wp_ajax_pg_install_profilegrid. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the ProfileGrid plugin from wordpress.
Quick answer
Memberships and User Profiles for WooCommerce - ProfileGrid WooCommerce Integration should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- ProfileGrid WooCommerce Integration up to and including 3.4
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
ProfileGrid WooCommerce Integration is affected by CVE-2026-11359. Versions up to 3.4 can allow unauthorized plugin installation because subscriber-level users can install and activate the ProfileGrid plugin because capability and nonce checks are missing. Patch and review installed plugins for unexpected changes.
- Inventory WordPress and WooCommerce sites using ProfileGrid WooCommerce Integration.
- Update ProfileGrid WooCommerce Integration beyond 3.4 when a fixed release is available.
- Block the vulnerable AJAX handler or restrict it to trusted administrators until patched.
- Review installed and recently activated plugins for unexpected ProfileGrid installation activity.
- Remove unauthorized plugins and verify plugin files against trusted packages.
- Review subscriber-level accounts and recent logins for suspicious activity.
- Rotate administrator credentials if unauthorized plugin installation may have occurred.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm ProfileGrid WooCommerce Integration is no longer version 3.4 or older.
- Attempt the install action as a subscriber in staging and confirm it is denied.
- Confirm only approved plugins are installed and active.
- Review logs after patching for blocked install attempts.
- Run a Fixnx scan and verify public WordPress exposure after remediation.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-11359?
Memberships and User Profiles for WooCommerce - ProfileGrid WooCommerce Integration versions listed as affected should be reviewed: ProfileGrid WooCommerce Integration up to and including 3.4.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
