CVE-2025-11748
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-08

Last updated on: 2025-11-11

Assigner: Wordfence

Description
The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-08
Last Modified
2025-11-11
Generated
2026-06-16
AI Q&A
2025-11-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11748
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress groups *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in the Groups plugin for WordPress, affecting all versions up to and including 6.7.0. It occurs because the 'group_id' parameter in the group_join function lacks proper validation, allowing authenticated users with Subscriber-level access or higher to register for groups they are not authorized to join.

Impact Analysis

The vulnerability allows authenticated users with low-level access to join unauthorized groups, potentially leading to unauthorized access to group-specific content or functionality. This could result in information disclosure or misuse of group resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11748. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart