Description
The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.
Published: 2025-11-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized group membership
Action: Update Plugin
AI Analysis

Impact

The Groups plugin for WordPress contains an insecure direct object reference flaw that allows an attacker with Subscriber-level or higher access to use the group_join function and supply a group_id that was not intended for the visitor. The lack of validation on this user-controlled key means the attacker can register for any group, potentially bypassing the intended membership controls or privacy settings enforced by the shortcode. This flaw does not provide denial of service or privilege escalation beyond the user’s existing authenticated session, but it enables unwanted membership in groups that may contain sensitive information or associated access rights.

Affected Systems

WordPress sites running the itthinx Groups plugin version 3.7.0 or earlier are affected. The vulnerability applies to all releases up to and including 3.7.0, regardless of the WordPress core version. Site administrators should verify which plugin version is installed and plan an update accordingly.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation at this time. The vulnerability is not included in the CISA KEV catalog. The attacker must first authenticate to the site as a Subscriber or higher role, which limits the threat to legitimate users who have been granted access. Once logged in, the attacker can seamlessly join arbitrary groups by manipulating the group_id parameter, but no further system compromise or data exfiltration is possible with this flaw alone.

Generated by OpenCVE AI on April 21, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Groups plugin to the latest version, which includes a fix for the insecure direct object reference.
  • If an update is not immediately feasible, restrict the use of the group_join shortcode or the group_join function to administrator roles only, ensuring that only privileged users can register for groups via this method.
  • Audit existing group memberships and review logs for unexpected entries to detect any unauthorized joins that may have occurred before a remediation action is applied.

Generated by OpenCVE AI on April 21, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 11 Nov 2025 14:45:00 +0000

Type Values Removed Values Added
Description The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode. The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.
Title Groups <= 6.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join

Mon, 10 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.
Title Groups <= 6.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:58.339Z

Reserved: 2025-10-14T14:48:21.935Z

Link: CVE-2025-11748

cve-icon Vulnrichment

Updated: 2025-11-10T14:07:28.277Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T04:15:43.383

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses