{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11748", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T14:48:21.935Z", "datePublished": "2025-11-08T03:27:49.308Z", "dateUpdated": "2026-04-08T17:24:58.339Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:58.339Z"}, "affected": [{"vendor": "itthinx", "product": "Groups", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode."}], "title": "Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0f6d28a-d5ca-4700-bc61-f2dd20f06fcf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/groups/trunk/lib/views/class-groups-shortcodes.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387846%40groups&new=3387846%40groups&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-11-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T14:07:27.644334Z", "id": "CVE-2025-11748", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:14:41.313Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-10T14:07:27.644334Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:07:28.277Z"}}], "cna": {"title": "Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "itthinx", "product": "Groups", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.7.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0f6d28a-d5ca-4700-bc61-f2dd20f06fcf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/groups/trunk/lib/views/class-groups-shortcodes.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387846%40groups&new=3387846%40groups&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-11T14:25:32.416Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11748", "state": "PUBLISHED", "dateUpdated": "2025-11-11T14:25:32.416Z", "dateReserved": "2025-10-14T14:48:21.935Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T03:27:49.308Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode."}], "id": "CVE-2025-11748", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T04:15:43.383", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/groups/trunk/lib/views/class-groups-shortcodes.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387846%40groups&new=3387846%40groups&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0f6d28a-d5ca-4700-bc61-f2dd20f06fcf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:47:41.355345+00:00", "value": {"mitigation_remediation": ["Update the Groups plugin to the latest version, which includes a fix for the insecure direct object reference.", "If an update is not immediately feasible, restrict the use of the group_join shortcode or the group_join function to administrator roles only, ensuring that only privileged users can register for groups via this method.", "Audit existing group memberships and review logs for unexpected entries to detect any unauthorized joins that may have occurred before a remediation action is applied."], "summary": {"action": "Update Plugin", "impact": "Unauthorized group membership"}, "threat_synthesis": {"affected_systems": "WordPress sites running the itthinx Groups plugin version 3.7.0 or earlier are affected. The vulnerability applies to all releases up to and including 3.7.0, regardless of the WordPress core version. Site administrators should verify which plugin version is installed and plan an update accordingly.", "description_and_impact": "The Groups plugin for WordPress contains an insecure direct object reference flaw that allows an attacker with Subscriber-level or higher access to use the group_join function and supply a group_id that was not intended for the visitor. The lack of validation on this user-controlled key means the attacker can register for any group, potentially bypassing the intended membership controls or privacy settings enforced by the shortcode. This flaw does not provide denial of service or privilege escalation beyond the user\u2019s existing authenticated session, but it enables unwanted membership in groups that may contain sensitive information or associated access rights.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation at this time. The vulnerability is not included in the CISA KEV catalog. The attacker must first authenticate to the site as a Subscriber or higher role, which limits the threat to legitimate users who have been granted access. Once logged in, the attacker can seamlessly join arbitrary groups by manipulating the group_id parameter, but no further system compromise or data exfiltration is possible with this flaw alone."}}}}, "created": "2025-11-10T09:33:32.064195+00:00", "updated": "2026-04-21T02:00:12.279651+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}