{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13416", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T14:44:44.565Z", "datePublished": "2026-02-05T08:25:43.937Z", "dateUpdated": "2026-04-08T16:45:11.007Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:11.007Z"}, "affected": [{"vendor": "metagauss", "product": "ProfileGrid \u2013 User Profiles, Groups and Communities", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.9.7.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action."}], "title": "ProfileGrid \u2013 User Profiles, Groups and Communities <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-01-23T06:45:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-04T20:24:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:50:51.505812Z", "id": "CVE-2025-13416", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:50:58.776Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13416", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T14:50:51.505812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:50:56.057Z"}}], "cna": {"title": "ProfileGrid \u2013 User Profiles, Groups and Communities <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "metagauss", "product": "ProfileGrid \u2013 User Profiles, Groups and Communities", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.9.7.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T06:45:15.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-04T20:24:28.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-05T08:25:43.937Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13416", "state": "PUBLISHED", "dateUpdated": "2026-02-05T14:50:58.776Z", "dateReserved": "2025-11-19T14:44:44.565Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-05T08:25:43.937Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action."}, {"lang": "es", "value": "El plugin ProfileGrid \u2013 User Profiles, Groups and Communities para WordPress es vulnerable a la suspensi\u00f3n no autorizada de usuarios debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n pm_deactivate_user_from_group() en todas las versiones hasta la 5.9.7.2, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, suspendan usuarios arbitrarios de grupos, incluidos los administradores, a trav\u00e9s de la acci\u00f3n AJAX pm_deactivate_user_from_group."}], "id": "CVE-2025-13416", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-05T09:15:50.423", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:04:49.209326+00:00", "value": {"mitigation_remediation": ["Upgrade ProfileGrid to the latest version (5.9.7.3 or later) which includes the missing capability check.", "If an immediate upgrade is not feasible, temporarily remove or disable the pm_deactivate_user_from_group AJAX action by editing the plugin\u2019s public class file or applying a code snippet that restricts this action to administrators only.", "Audit user suspension logs and review subscriber roles to detect any unauthorized suspensions, and consider temporarily revoking subscriber capabilities for group management until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Suspension of Users"}, "threat_synthesis": {"affected_systems": "All releases of the ProfileGrid \u2013 User Profiles, Groups and Communities plugin ranging from the earliest versions through 5.9.7.2, developed by Metagauss.", "description_and_impact": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress has a missing capability check on the pm_deactivate_user_from_group function. This flaw lets any authenticated user with Subscriber-level access or higher call a public AJAX action that suspends arbitrary users from groups, including administrators, without permission. The absence of a capability check allows an attacker to target arbitrary accounts and enforce unwanted suspensions, effectively denying legitimate access and disrupting community interactions. The weakness is a classic missing authorization flaw, classified as CWE-862.", "risk_and_exploitability": "The CVSS score of 4.3 denotes a low severity impact, and the EPSS score of less than 1% indicates a very low chance of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers only need valid WordPress credentials at the Subscriber level, so the attack vector is internal authentication. The lack of a capability check permits the exploit to be carried out remotely via the AJAX endpoint, making it straightforward for an authenticated attacker to suspend users."}}}}, "created": "2026-02-06T12:05:46.556262+00:00", "updated": "2026-04-22T20:15:20.527221+00:00", "vendors": ["metagauss", "metagauss$PRODUCT$profilegrid", "wordpress", "wordpress$PRODUCT$wordpress"]}