The ProfileGrid – User Profiles, Groups and Communities plugin contains a missing capability check in the pm_invite_user function, allowing any authenticated user with subscriber-level access or higher to add themselves or any registered user to any ProfileGrid group, including closed and paid groups. This flaw enables an attacker to bypass all authorization and payment gates, creating an unauthorized pathway to group content and potentially sensitive data. The vulnerability is a classic access control weakness (CWE‑862) that undermines the integrity and confidentiality of group membership and can result in revenue loss if paid groups are accessed freely.

This issue affects the WordPress plugin metagauss:ProfileGrid – User Profiles, Groups and Communities, specifically all released versions up to and including 5.9.8.4. Users who have installed any of these versions are vulnerable unless the plugin has been updated beyond the stated version.

With a CVSS score of 7.1 the flaw is assessed as high severity, and although an EPSS score is not published, the lack of listing in the CISA KEV catalog suggests it is not yet a widely exploited condition. The attack vector requires an authenticated subscriber or higher, so an attacker must first obtain valid user credentials or social engineer a lone subscriber to take advantage of the open invite capability. Once compromised, the attacker can add themselves or any other user to any group, effectively executing a privilege escalation within the group domain and enabling access to otherwise restricted content.