The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress contains an authorization bypass that enables authenticated users with at least Subscriber level to use the pm_set_group_order, pm_set_group_items, and pm_set_field_order AJAX actions without proper permission checks. This flaw permits attackers to change group menu order, group list order, group icon display, and field ordering across the site, affecting both the appearance and functionality of the community features. The weakness is a classic missing‑authorization flaw, corresponding to CWE‑862, where the plugin fails to verify that the user has the right to perform the action. The resulting impact is a degradation of the site’s integrity and potential manipulation of user interaction flow.

The vulnerability affects the MetaGauss ProfileGrid plugin for WordPress, in all releases up to and including version 5.9.8.4. No specific WordPress core versions are mentioned, so any WordPress installation using one of these plugin versions is potentially impacted. The issue is specific to the plugin’s admin area and its AJAX handlers; regular visitors are not affected.

The assigned CVSS score of 4.3 indicates moderate severity, reflecting that the flaw requires a logged‑in user with Subscriber level access, which is a common role. Because the EPSS score is not available, the current exploitation probability cannot be quantified, but the lack of a KEV listing suggests that no large‑scale exploit activity has been reported yet. Nonetheless, the flare‑increases risk if the site allows unauthenticated users to assume a Subscriber role via other means, or if a malicious user is promoted. A direct attack would involve authenticating as a subscriber and then invoking one of the AJAX actions to reorder groups or fields, which could alter the user interface and potentially hide or expose content depending on the site’s configuration.