ProfileGrid
Moderate fix1 remedy
cpe:2.3:a:profilegrid:profilegrid:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.9.8.4
ProfileGrid WordPress Plugin Missing Authorization Vulnerability Allows Arbitrary Group Joining
Vulnerability
Patched
A vulnerability exists in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, in all versions through 5.9.8.4. The issue arises from a missing capability check in the 'pm_invite_user' function, which allows authenticated users with Subscriber-level access and above to add themselves or any registered user to any ProfileGrid group. This includes closed and paid groups, bypassing all authorization and payment requirements.
Impact
Exploitation of this vulnerability allows for unauthorized group membership changes, including access to closed and paid groups, which could be misused for unauthorized activities or benefits within those groups.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can use the 'pm_invite_user' function without the necessary capability checks. This can be done by sending a request that includes the 'gid' parameter with the ID of the group to which the user wants to be added. The request can be made through the WordPress admin interface or via a custom script that interacts with the WordPress REST API.
Remediation
Users are advised to update the ProfileGrid – User Profiles, Groups and Communities plugin to version 5.9.8.5 or later.
Added: May 13, 2026, 7:04 PM
Updated: May 13, 2026, 7:04 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
6.4remediation
7.7relevance
8.2threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.