CVE-2026-4609: ProfileGrid WordPress Plugin Authentication Bypass Vulnerability

CVE-2026-4609 affects the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. The vulnerability stems from a missing capability check on the pm_invite_user function in versions up to and including 5.9.8.4. This oversight enables authenticated attackers, possessing subscriber-level access or higher, to bypass authorization mechanisms and payment gateways. Attackers can exploit this vulnerability to add themselves or any registered user to any ProfileGrid group, including those that are closed or require payment for access. This issue was reported on May 13, 2026, and poses a significant risk to websites using the vulnerable plugin, as it can lead to unauthorized access to premium content and features.

Attack Chain

1. An attacker registers an account on the WordPress site, obtaining subscriber-level access.
2. The attacker identifies the vulnerable pm_invite_user function within the ProfileGrid plugin.
3. The attacker crafts a malicious HTTP request to the WordPress site, targeting the pm_invite_user function, with parameters specifying the target group and user to add.
4. The crafted request bypasses the intended capability checks due to the missing authorization validation.
5. The pm_invite_user function processes the request, adding the attacker or the specified user to the targeted group, regardless of group access restrictions.
6. If the targeted group is a paid group, the attacker gains access to premium content and features without completing the required payment process.
7. The attacker leverages the unauthorized group membership to access restricted areas of the website and potentially perform actions reserved for higher-privileged users.
8. The attacker may further escalate privileges or exfiltrate sensitive data accessible through the unauthorized group membership.

Impact

Successful exploitation of CVE-2026-4609 allows subscriber-level attackers to bypass authorization and payment gates, potentially affecting all ProfileGrid groups, including closed and paid ones. This can lead to unauthorized access to premium content and features. The number of victims depends on the number of websites using the vulnerable ProfileGrid plugin version. The impacted sectors are broad, as WordPress is used by various organizations. The financial impact includes loss of revenue from bypassed payment gates and potential data breaches.

Recommendation

• Upgrade the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress to the latest version, which includes a fix for CVE-2026-4609.
• Deploy the Sigma rule “Detect ProfileGrid Unauthorized Group Invitation” to detect exploitation attempts targeting the vulnerable pm_invite_user function.
• Review WordPress user roles and permissions to ensure appropriate access controls are in place.