CVE-2025-1408

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/03/2025
Last modified:
27/03/2025

Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_decline_join_group_request and pm_approve_join_group_request functions in all versions up to, and including, 5.9.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to approve or decline join group requests which is normally should be available to administrators only.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:* 5.9.4.5 (excluding)