PT-2026-5876 · WordPress · Wordpress+1
Athiwat Tiprasaharn
·
Published
2026-02-05
·
Updated
2026-02-05
·
CVE-2025-13416
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions through 5.9.7.2
Description
The ProfileGrid plugin for WordPress is susceptible to unauthorized user suspension. This occurs because of a missing capability check within the
pm deactivate user from group() function. Authenticated attackers with Subscriber-level access or higher can suspend any user from groups, potentially including administrators, by utilizing the pm deactivate user from group AJAX action.Recommendations
Update to a version beyond 5.9.7.2.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Profilegrid
Wordpress