CVE-2025-13416 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, versions up to and including 5.9.7.2. The vulnerability arises from the absence of a proper capability check in the pm_deactivate_user_from_group() function, which is responsible for suspending users from groups. This function is accessible via an AJAX action named pm_deactivate_user_from_group. Because the plugin fails to verify whether the authenticated user has the necessary permissions to perform this action, any user with Subscriber-level access or higher can invoke this AJAX endpoint to suspend arbitrary users from groups, including administrators. This unauthorized suspension can disrupt group membership and administrative controls within WordPress sites using this plugin. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity, with an attack vector of network, low attack complexity, requiring low privileges (authenticated user), no user interaction, and unchanged scope. The impact is limited to integrity, as confidentiality and availability are not affected. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly to prevent misuse.

For European organizations, the primary impact of this vulnerability is the potential disruption of group and community management within WordPress sites using the ProfileGrid plugin. Unauthorized suspension of users, including administrators, can lead to loss of administrative control, hinder collaboration, and cause operational disruptions in environments relying on group-based access or communication. While the vulnerability does not directly expose sensitive data or cause denial of service, the integrity compromise can facilitate further attacks or internal conflicts by disabling key user accounts. Organizations with public-facing or internally critical WordPress sites that utilize this plugin are at risk of privilege abuse by low-privilege authenticated users, potentially including malicious insiders or compromised accounts. This risk is heightened in sectors with collaborative platforms such as education, government, and enterprises that depend on WordPress for community management.

1. Immediately audit user roles and permissions to ensure that only trusted users have Subscriber-level or higher access, minimizing the pool of potential attackers. 2. Temporarily disable or restrict the ProfileGrid plugin if feasible until an official patch is released. 3. Implement custom code or use security plugins to enforce capability checks on the pm_deactivate_user_from_group AJAX action, effectively adding authorization validation. 4. Monitor WordPress logs and AJAX requests for suspicious activity related to user suspension actions. 5. Educate administrators and users about the risk and encourage strong authentication practices to reduce account compromise likelihood. 6. Stay updated with vendor announcements and apply patches promptly once available. 7. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block unauthorized AJAX calls targeting this function. 8. Review and harden WordPress security configurations, including limiting plugin access and employing least privilege principles.