WordPress Plugin Vulnerabilities

Groups < 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join

Description

The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.

Affects Plugins

Plugin icon
groups
Fixed in 3.8.0

References

CVE
CVE-2025-11748
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d0f6d28a-d5ca-4700-bc61-f2dd20f06fcf

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
ff683860-0d49-4e49-8990-b0e1ce56a844

Timeline

Publicly Published
2025-11-07 (about 6 months ago)
Added
2025-11-07 (about 6 months ago)
Last Updated
2025-11-11 (about 6 months ago)

Other

Published
Title
Published
2026-03-16
Title
Tutor LMS – eLearning and online course solution < 3.9.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2022-07-25
Title
SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
Published
2025-01-10
Title
RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Post Disclosure
Published
2026-01-23
Title
SupportCandy – Helpdesk & Customer Support Ticket System < 3.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-12-11
Title
Ultra Addons for Contact Form 7 < 3.5.34 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF