We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

ProfileGrid – User Profiles, Groups and Communities Plugin Vulnerability (CVE-2026-4609)

Nick Paliughi
On this page

Security Alert Summary

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress contains a missing capability check in the pm_invite_user function. In affected versions up to and including 5.9.8.4, authenticated users with Subscriber-level access and above can add themselves or any registered user to any ProfileGrid group, including closed and paid groups, bypassing authorization and payment controls.

CVE Details

  • CVE ID: CVE-2026-4609
  • Affected component: ProfileGrid – User Profiles, Groups and Communities plugin for WordPress
  • Affected versions: All versions up to, and including, 5.9.8.4
  • Published: May 13, 2026 2:17:58 PM
  • Last modified: May 13, 2026 2:43:46 PM
  • CVSS v3.1: Base Score 7.1, Severity HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
  • Authentication / Privileges / Interaction:
    • Privileges Required: LOW (an authenticated user, e.g., Subscriber-level)
    • User Interaction: NONE
    • Attack Vector: NETWORK; Attack Complexity: LOW; Scope: UNCHANGED
  • Primary impact: Confidentiality: LOW; Integrity: HIGH; Availability: NONE
  • Weakness: CWE-862 (Missing Authorization)

Technical Details

The vulnerability is a missing capability check on the pm_invite_user function. Because the function does not verify that the calling user has the required authorization to add members, an authenticated user with low privileges can trigger group membership changes.

Specifically, the lack of an authorization check in the invitation logic allows an attacker with Subscriber-level access or higher to add themselves or any existing registered user to any ProfileGrid group. This includes closed and paid groups, allowing membership changes that bypass authorization and payment gates.

The impact is limited to the functionality controlled by the vulnerable code path: group membership can be modified without proper checks. The vulnerability does not, based on the provided information, indicate arbitrary code execution or full site takeover.

How This Could Impact Your Website

Consider a small site with multiple users: the site owner configures closed groups for members, an internal editor manages content and user roles, and an external contractor or contributor has Subscriber-level access for commenting or limited tasks. An attacker who gains access to a Subscriber account or exploits an account belonging to a contractor could add that account or other registered users into closed or paid groups.

Practical consequences include unauthorized access to member-only content and resources, and the potential exposure of internal user metadata tied to group membership. Even though confidentiality impact is listed as LOW, group membership changes can reveal or consolidate user information that increases the risk of targeted phishing or social engineering against staff or contributors.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially accounts with Contributor or higher privileges.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual behavior related to group membership changes or unexpected user role modifications.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
ultimate-member Plugin Vulnerability (CVE-2020-37169)
Next Post
Tutor LMS – eLearning and online course solution Plugin Vulnerability (CVE-2026-6965)