Vulnerabilities and security researches forgroups groups

Apr 15, 2026

CVE, Research URL: CVE-2026-0549
Home page URL: Security reports for Groups
Application: Groups
Date: Feb 19, 2026
Research Description: The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groups_group_info' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.11.0.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-11748
Home page URL: Security reports for Groups
Application: Groups
Date: Nov 08, 2025
Research Description: The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.
Affected versions: max 6.8.0.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: 28b8f9f1138369583c47f8964d14075cff42597e
Home page URL: Security reports for Groups
Application: Groups
Date: Aug 01, 2014
Research Description: Groups [groups] < 1.4.6 WordPress Groups Plugin <= 1.4.5 - This plugin is prone to a negated role capability H&ling elevated privilege issue. Upgrade this plugin.
Affected versions: max 1.4.6.
Status: vulnerable