WordPress Plugin Vulnerabilities

ProfileGrid – User Profiles, Groups and Communities < 5.9.7.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension

Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action.

Affects Plugins

Plugin icon
profilegrid-user-profiles-groups-and-communities
Fixed in 5.9.7.3

References

CVE
CVE-2025-13416
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
c66a7f96-aaa5-43ec-ba32-83967280a96f

Timeline

Publicly Published
2026-02-04 (about 3 months ago)
Added
2026-02-04 (about 3 months ago)
Last Updated
2026-02-05 (about 3 months ago)

Other

Published
Title
Published
2024-05-22
Title
Brizy – Page Builder < 2.4.44 - Missing Authorization
Published
2025-10-28
Title
Яндекс Доставка (Boxberry) <= 2.32 - Missing Authorization
Published
2024-11-18
Title
Banner System <= 1.0.0 - Privilege Escalation
Published
2023-11-15
Title
WP Like Button <= 1.7.0 - Missing Authorization via crublabFBLBAjax
Published
2025-03-06
Title
Golo - Directory & Listing, Travel WordPress Theme < 1.6.11 - Missing Authorization to Privilege Escalation via Unauthenticated Arbitrary User Password Change