cleantalk
Vulnerabilities and Security Researches

Groups, CVE-2025-11748

CVE, Research URL

CVE-2025-11748

Home page URL

Security reports for Groups

Application

Groups

Published on
Nov 08, 2025
Research Description
The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.
Affected versions
max 6.8.0.
Status
vulnerable
Previous vulnerability researches
Social Link Groups (CVE-2024-49619) , Oct 22, 2024
Featured Posts with Multiple Custom Groups (FPMCG) (CVE-2024-48031) , Oct 13, 2024
Featured Posts with Multiple Custom Groups (FPMCG) (CVE-2024-48032) , Oct 13, 2024
RDP inGroups+ (CVE-2025-23546) , Mar 22, 2025
Payment Gateway Groups for WooCommerce (8e7d6f5fc355d02dfe8d709340a3643188c7e5a6) , Jun 07, 2024
New vulnerability
VI: Include Post By (CVE-2026-5717) , Apr 17, 2026
Responsive Accordion Slider (CVE-2026-0635) , Apr 17, 2026
Petje.af (CVE-2026-4002) , Apr 17, 2026
LinkedIn SC (CVE-2026-0812) , Apr 17, 2026
Coachific Shortcode (CVE-2026-4005) , Apr 17, 2026