Primary

Context

ProfileGrid WordPress Plugin Missing Authorization Vulnerability in Join Group Request Management

Vulnerability

Patched

A vulnerability exists in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, in all versions through 5.9.4.4. The issue arises from a lack of proper capability checks in the pm_decline_join_group_request and pm_approve_join_group_request functions. This flaw allows authenticated attackers with Subscriber-level access and above to approve or decline join group requests, a privilege that should be reserved for administrators.

Impact

Exploitation of this vulnerability allows unauthorized users to manage group join requests, potentially disrupting group management and user interactions within the community.

Remediation

Users are advised to update the ProfileGrid – User Profiles, Groups and Communities plugin to version 5.9.4.5 or a newer patched version.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ProfileGrid WordPress Plugin Missing Authorization Vulnerability in Join Group Request Management

Vulnerability

Impact

Remediation

Affected Products

ProfileGrid

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating