CVE-2025-11748: 
WordPress vulnerability analysis and mitigation

The Groups plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CVE-2025-11748) discovered on November 7, 2025. The vulnerability affects all versions up to and including 3.7.0 and allows authenticated attackers with Subscriber-level access or higher to register for groups other than ones set in the shortcode through the 'groupid' parameter of the groupjoin function due to missing validation on a user-controlled key (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue stems from improper validation of the 'groupid' parameter in the groupjoin function, which is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD, Wordfence).

The vulnerability allows authenticated users with Subscriber-level privileges or higher to bypass intended group registration restrictions. This could lead to unauthorized users gaining access to groups they should not be able to join, potentially compromising the access control system implemented by the plugin (NVD).

Site administrators should update the Groups plugin to a version newer than 3.7.0 when available. Until a patch is released, administrators should carefully monitor group memberships and consider restricting the ability to join groups through alternative means (NVD).