CVE-2025-1408: 
WordPress vulnerability analysis and mitigation

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress contains a missing capability check vulnerability (CVE-2025-1408) discovered on March 22, 2025. The vulnerability affects all versions up to and including 5.9.4.4 and allows authenticated attackers with Subscriber-level access or higher to approve or decline join group requests, functionality that should be restricted to administrators only (NVD).

The vulnerability stems from missing capability checks in the pmdeclinejoingrouprequest and pmapprovejoingrouprequest functions, which allows unauthorized modification of group membership data. The issue has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD).

When exploited, this vulnerability allows authenticated users with basic subscriber privileges to perform administrative actions related to group membership management. Specifically, attackers can approve or decline group join requests without proper authorization, potentially disrupting group membership management and bypassing intended access controls (NVD).

Users should upgrade to version 5.9.4.5 or later when available, as this version is expected to include the necessary capability checks. Until then, site administrators should carefully review and potentially restrict subscriber-level account creation (NVD).