Security Alert Summary
The ProfileGrid User Profiles, Groups and Communities plugin for WordPress contains a missing capability check that allows authenticated users with Subscriber-level access and above to suspend arbitrary users from groups via an AJAX action. The issue affects all versions up to and including 5.9.7.2 and enables suspension of group membership, including for administrator accounts.
CVE Details
- CVE ID: CVE-2025-13416
- Affected component: ProfileGrid User Profiles, Groups and Communities plugin for WordPress
- Affected versions: all versions up to, and including, 5.9.7.2
- Published: February 5, 2026 at 9:15:50 AM UTC
- Last modified: February 5, 2026 at 2:57:20 PM UTC
- CVSS v3.1: Base score 4.3 (MEDIUM) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Authentication / Privileges / Interaction: Authentication required; Privileges Required: Low; User Interaction: None; Attack Vector: Network; Attack Complexity: Low
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE: CWE-862 (Missing Authorization)
Technical Details
The vulnerability is caused by a missing capability check on the pm_deactivate_user_from_group() function. The plugin exposes an AJAX action named pm_deactivate_user_from_group that, when invoked by an authenticated user with low privileges (Subscriber-level and above), can suspend arbitrary users from groups. Because there is no proper check to verify whether the requesting user has permission to perform the suspension, an attacker with a low-privilege account can trigger the action to remove other users from groups, including users with administrator roles.
The described behavior affects integrity (modification of group membership) but does not indicate disclosure of protected data or direct availability impact, consistent with the CVSS metrics which show Confidentiality: None and Availability: None.
How This Could Impact Your Website
Consider a site with multiple user roles: the site owner, internal staff who manage content and groups, and external contractors or contributors who use Subscriber-level accounts. An attacker who can use a Subscriber account to suspend other users from groups could remove staff or contractors from group-based communication or access controls, disrupting workflows and notifications. If administrators are suspended from groups, some group-scoped functionality or notices may stop reaching them, causing operational confusion that could be leveraged for further social engineering.
These actions do not necessarily expose user data, but they can be used to interfere with normal operations and increase the risk of targeted phishing or impersonation attempts against disconnected staff. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and privileges, especially for contributors and other low-privilege accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your WordPress installation.
- Monitor site activity and audit logs for unusual behavior related to user role or group membership changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve