What the vulnerability does
01Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properly verifying that a user is authorized to perform an action via the pm_set_group_order, pm_set_group_items, and pm_set_field_order AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify site-wide ProfileGrid group settings including group menu order, group list order, group icon display, and field ordering.
Explanation of Vulnerability in Simple Terms
02Summary
ProfileGrid versions up to 5.9.8.4 lack proper authorization checks, allowing authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter information without the plugin verifying their permissions. This affects the integrity of user profiles and community data. Update to a version newer than 5.9.8.4.
What an attacker can do
03Attacker Capabilities
Modify user profiles, groups, or community data belonging to other users or restricted areas.
Potential impact on your site
04Site Impact
User data integrity compromised; members can alter profiles and settings outside their intended permissions.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege account on the site; no special user interaction required.
Key dates
06Disclosure timeline
May 13, 2026
CVE published
May 13, 2026
Record updated
