The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin.
Send an authenticated POST request to wp-admin/admin-ajax.php with parameters action=pm_template_preview&html;=