CVE-2025-13416

by Fred · 05/02/2026

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action.

More information : https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167

CVE-2025-13416

Similar

Recent Posts

Categories

CVE-2025-13416

Share this:

Similar

Recent Posts

Categories

Tags