Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_decline_join_group_request and pm_approve_join_group_request functions in all versions up to, and including, 5.9.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to approve or decline join group requests which is normally should be available to administrators only.
Published: 2025-03-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unauthorized Approval or Decline of Group Join Requests
Action: Patch Now
AI Analysis

Impact

The vulnerability is a missing capability check in the pm_decline_join_group_request and pm_approve_join_group_request functions. As a result, users who possess only Subscriber-level access—or any role equal to or higher than Subscriber—can illegitimately approve or decline requests to join a group. This allows an authenticated attacker to alter group membership, bypassing administrative controls and potentially granting themselves or others membership to groups they should not belong to, thereby affecting community integrity and privacy.

Affected Systems

The affected product is the ProfileGrid – User Profiles, Groups and Communities WordPress plugin, version 5.9.4.4 and earlier. The plugin is distributed by Metagauss and is installed on WordPress sites where group and community functionality is enabled.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known active exploitation. Because the flaw requires an authenticated user, the attack vector is limited to authenticated access (Subscriber or above) and does not necessitate remote code execution or network-level attacks.

Generated by OpenCVE AI on April 22, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProfileGrid plugin to the latest stable version (5.9.4.5 or later) where the missing capability check has been implemented.
  • If an immediate upgrade is not feasible, implement a temporary filter that blocks the pm_decline_join_group_request and pm_approve_join_group_request actions for all non‑administrator roles, thereby preventing unauthorized group‑join approvals or declines.
  • Review the WordPress role capabilities and remove any custom or inherited capabilities that would allow Subscriber or lower roles to perform group‑management actions, ensuring that only administrators retain such privileges.

Generated by OpenCVE AI on April 22, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7193 The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_decline_join_group_request and pm_approve_join_group_request functions in all versions up to, and including, 5.9.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to approve or decline join group requests which is normally should be available to administrators only.
History

Thu, 27 Mar 2025 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss profilegrid
CPEs cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:*
Vendors & Products Metagauss
Metagauss profilegrid

Mon, 24 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Mar 2025 04:45:00 +0000

Type Values Removed Values Added
Description The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_decline_join_group_request and pm_approve_join_group_request functions in all versions up to, and including, 5.9.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to approve or decline join group requests which is normally should be available to administrators only.
Title ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.4 - Missing Authorinzation to Authenticated (Subscriber+) Join Group Requests Management
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Metagauss Profilegrid
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:29.054Z

Reserved: 2025-02-17T22:08:23.306Z

Link: CVE-2025-1408

cve-icon Vulnrichment

Updated: 2025-03-24T14:51:51.203Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-22T05:15:38.353

Modified: 2025-03-27T00:38:34.650

Link: CVE-2025-1408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses