EUVD-2026-30857

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...

WordPress ProfileGrid – User Profiles, Groups and Communities plugin <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Group Joining vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Group Joining vulnerability discovered by Jonah Burgess CryptoCat in WordPress Plugin ProfileGrid versions = 5.9.8.4...

CVE-2026-25885

CVE-2026-25885 affects PolarLearn: the group chat WebSocket (wss://polarlearn.nl/api/v1/ws) allowed unauthenticated clients to subscribe to and post in any group chat, storing messages in the chatContent. This is described for 0-PRERELEASE-16 and earlier. The vulnerability is unpatched/undetailed...

WordPress Himer theme < 2.1.1 - Arbitrary Group Joining via CSRF vulnerability

Arbitrary Group Joining via CSRF vulnerability discovered by Sushmita Poudel in WordPress Theme Himer versions 2.1.1...

CVE-2025-11748 Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join

The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

Himer - Social Questions and Answers < 2.1.1 - Arbitrary Group Joining via CSRF

Description The theme does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack PoC The PoC will be displayed on June 26, 2024, to give users the time to update...

URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF

The plugin does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack. PoC https://example.com/wp-admin/admin.php?page=uslinks=bulkdeleteids=1...

CVE-2016-2860

The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID...

Authentication flaw

The Accellion File Transfer Appliance FTA before FTA91240 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors...

CVE-2016-2353

The Accellion File Transfer Appliance FTA before FTA91240 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors...

Buddypress <= 1.9.1 - Crafted bp_new_group_id Cookie Arbitrary Group Manipulation

The BuddyPress WordPress plugin was affected by a Crafted bpnewgroupid Cookie Arbitrary Group Manipulation security vulnerability...

CVE-2012-6047

Cross-site request forgery CSRF vulnerability in X7 Chat 2.0.5.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that add a user to an arbitrary group via the users page in an adminpanel action to index.php...

Cross-site request forgery (CSRF) in ocPortal

High-Tech Bridge SA Security Research Lab has discovered vulnerability in ocPortal which could be exploited to perform CSRF attacks. 1 Cross-site request forgery CSRF ocPortal The vulnerability exists due to insufficient validation of the request origin in /site/index.php. A remote attacker can...

CVE-2006-2737

utilities/register.asp in Nukedit 4.9.6 and earlier allows remote attackers to create new users as part of arbitrary groups, including the administrative group, via a modified groupid parameter when creating a user via the addDB action...

[SECURITY] [DSA 791-1] New maildrop packages fix arbitrary group mail command execution

-------------------------------------------------------------------------- Debian Security Advisory DSA 791-1 [email protected] http://www.debian.org/security/ Martin Schulze August 30th, 2005 http://www.debian.org/security/faq -...