PT-2026-40611 · WordPress · Profilegrid
Jonah Burgess
·
Published
2026-05-13
·
Updated
2026-05-13
·
CVE-2026-4609
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
ProfileGrid – User Profiles, Groups and Communities versions prior to 5.9.8.5
Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress allows unauthorized access because the
pm invite user() function lacks a capability check. Authenticated attackers with Subscriber-level access or higher can exploit this to add themselves or other registered users to any group, including closed and paid groups, effectively bypassing authorization and payment gates.Recommendations
Update the plugin to a version later than 5.9.8.4.
As a temporary workaround, restrict access to the
pm invite user() function to minimize the risk of exploitation.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Profilegrid