CVE-2026-4607

Name of the Vulnerable Software and Affected Versions ProfileGrid versions prior to 5.9.8.5

Description The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress contains an authorization bypass. The issue occurs because the plugin fails to properly verify if a user is authorized to perform actions through the AJAX actions 'pm set group order', 'pm set group items', and 'pm set field order'. Authenticated attackers with Subscriber-level access or higher can exploit this to modify site-wide group settings, including group menu order, group list order, group icon display, and field ordering.

Recommendations Update to a version later than 5.9.8.4.