WP-Safety

Groups Security & Risk Analysis

wordpress.org/plugins/groups

Groups is an efficient and powerful solution, providing group-based user membership management, group-based capabilities and content access control.

10K active installs v4.1.0 PHP 7.4+ WP 6.7+ Updated Mar 25, 2026
accessaccess-controlgroupsmembermembership
98
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 18, 2026
Plugin page Download
Safety Verdict

Is Groups Safe to Use in 2026?

Generally Safe

Score 98/100

Groups has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Feb 18, 2026Updated 1mo ago
Risk Assessment

The "groups" plugin version 4.0.0 presents a mixed security posture. While the static analysis shows a seemingly small attack surface with no immediately apparent AJAX handlers, REST API routes, shortcodes, or cron events lacking authentication or permission checks, and no dangerous functions or file operations detected, several concerning signals emerge. A significant portion of SQL queries (100%) are not using prepared statements, which is a major risk for SQL injection vulnerabilities. Furthermore, a substantial percentage of output (28%) is not properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's history. The vulnerability history reveals two medium-severity CVEs, both related to XSS and authorization bypass, with the last one being relatively recent, even though it's marked as currently unpatched. This history, combined with the lack of proper output escaping and raw SQL queries, strongly suggests a recurring pattern of vulnerabilities that the developers may not have fully addressed in this version. The absence of nonce checks on any entry points is also a concern, as it leaves the plugin open to CSRF attacks if any form of state-changing actions were to be introduced without proper protection. Overall, while the plugin doesn't exhibit critical static analysis red flags like tainted flows or dangerous functions, the prevalent use of raw SQL, insufficient output escaping, and a history of medium-severity vulnerabilities necessitate a cautious approach.

Key Concerns

  • SQL queries do not use prepared statements
  • Significant amount of output not properly escaped
  • Vulnerability history includes medium severity CVEs
  • No nonce checks on any entry points
Vulnerabilities
2 published

Groups Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-0549medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Groups <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'groups_group_info' Shortcode

Feb 18, 2026 Patched in 3.11.0 (1d)
CVE-2025-11748medium · 4.3Authorization Bypass Through User-Controlled Key

Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join

Nov 7, 2025 Patched in 3.8.0 (5d)
Version History

Groups Release Timeline

v4.1.0Current
v4.0.0
v3.11.0
v3.10.01 CVE
CVE-2026-0549
v3.9.01 CVE
CVE-2026-0549
v3.8.01 CVE
CVE-2026-0549
v3.7.02 CVEs
CVE-2026-0549 CVE-2025-11748
v3.6.02 CVEs
CVE-2026-0549 CVE-2025-11748
v3.5.02 CVEs
CVE-2026-0549 CVE-2025-11748
v3.4.22 CVEs
CVE-2026-0549 CVE-2025-11748
v3.4.12 CVEs
CVE-2026-0549 CVE-2025-11748
v3.4.02 CVEs
CVE-2026-0549 CVE-2025-11748
v3.3.12 CVEs
CVE-2026-0549 CVE-2025-11748
v3.3.02 CVEs
CVE-2026-0549 CVE-2025-11748
v3.2.12 CVEs
CVE-2026-0549 CVE-2025-11748
v3.2.02 CVEs
CVE-2026-0549 CVE-2025-11748
v3.1.02 CVEs
CVE-2026-0549 CVE-2025-11748
v3.0.02 CVEs
CVE-2026-0549 CVE-2025-11748
v2.20.12 CVEs
CVE-2026-0549 CVE-2025-11748
v2.20.02 CVEs
CVE-2026-0549 CVE-2025-11748
Code Analysis
Analyzed Mar 16, 2026

Groups Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
7
18 escaped
Nonce Checks
0
Capability Checks
9
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

72% escaped25 total outputs
Attack Surface

Groups Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 27
actioninitlegacy\access\class-groups-access-meta-boxes-legacy.php:45
actionadmin_initlegacy\access\class-groups-access-meta-boxes-legacy.php:46
actionadd_meta_boxeslegacy\access\class-groups-access-meta-boxes-legacy.php:56
actionsave_postlegacy\access\class-groups-access-meta-boxes-legacy.php:57
filterwp_insert_post_empty_contentlegacy\access\class-groups-access-meta-boxes-legacy.php:58
filterattachment_fields_to_editlegacy\access\class-groups-access-meta-boxes-legacy.php:60
filterattachment_fields_to_savelegacy\access\class-groups-access-meta-boxes-legacy.php:61
actionadmin_enqueue_scriptslegacy\access\class-groups-access-meta-boxes-legacy.php:69
filterposts_wherelegacy\access\class-groups-post-access-legacy.php:64
filterget_pageslegacy\access\class-groups-post-access-legacy.php:65
filterthe_postslegacy\access\class-groups-post-access-legacy.php:67
filterwp_get_nav_menu_itemslegacy\access\class-groups-post-access-legacy.php:69
filterget_the_excerptlegacy\access\class-groups-post-access-legacy.php:71
filterthe_contentlegacy\access\class-groups-post-access-legacy.php:72
filtermap_meta_caplegacy\access\class-groups-post-access-legacy.php:74
actiongroups_deleted_capability_capabilitylegacy\access\class-groups-post-access-legacy.php:75
actionadmin_initlegacy\admin\class-groups-admin-post-columns-legacy.php:37
filtermanage_media_columnslegacy\admin\class-groups-admin-post-columns-legacy.php:53
actionmanage_media_custom_columnlegacy\admin\class-groups-admin-post-columns-legacy.php:55
actionadmin_initlegacy\admin\class-groups-admin-posts-legacy.php:37
actionadmin_enqueue_scriptslegacy\admin\class-groups-admin-posts-legacy.php:46
actionadmin_headlegacy\admin\class-groups-admin-posts-legacy.php:47
actionrestrict_manage_postslegacy\admin\class-groups-admin-posts-legacy.php:48
filterparse_querylegacy\admin\class-groups-admin-posts-legacy.php:49
actionbulk_edit_custom_boxlegacy\admin\class-groups-admin-posts-legacy.php:51
actionsave_postlegacy\admin\class-groups-admin-posts-legacy.php:52
actiongroups_admin_options_legacylegacy\admin\groups-admin-options-legacy.php:87
Maintenance & Trust

Groups Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 25, 2026
PHP min version7.4
Downloads993K

Community Trust

Rating96/100
Number of ratings380
Active installs10K
Alternatives

Groups Alternatives

Groups 404 Redirect

Groups 404 Redirect

groups-404-redirect

A
100

Redirect 404's when a visitor tries to access a page protected by Groups.

1K No CVEs
Groups bbPress

Groups bbPress

groups-bbpress

A
100

Protect bbPress Forums, Topics and Replies using Groups.

40 No CVEs
Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

content-control

A
97

Restrict content based on login status, user roles, device type & more. Monetize your content with a paywall or members-only content.

40K 4 CVEs
Restrict User Access – Ultimate Membership & Content Protection

Restrict User Access – Ultimate Membership & Content Protection

restrict-user-access

A
99

Create Access Levels and restrict any post, page, category, etc. Supports bbPress, BuddyPress, WooCommerce, WPML, and more.

10K 2 CVEs
SimpleShop

SimpleShop

simpleshop-cz

A
99

The SimpleShop WP plugin connects your WordPress website with a SimpleShop account and allows you to restrict the access only for members.

1K 2 CVEs
Developer Profile

Groups Developer Profile

itthinx

30 plugins · 23K total installs

97
trust score
Avg Security Score
96/100
Avg Patch Time
3 days
View full developer profile
Detection Fingerprints

How We Detect Groups

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/groups/lib/core/js/groups-admin.js/wp-content/plugins/groups/lib/core/js/groups-user.js/wp-content/plugins/groups/lib/core/js/groups-tools.js/wp-content/plugins/groups/lib/core/js/groups-select.js/wp-content/plugins/groups/lib/core/js/groups-autocomplete.js/wp-content/plugins/groups/lib/core/js/groups-form.js/wp-content/plugins/groups/lib/core/js/groups-modal.js/wp-content/plugins/groups/lib/core/js/groups-dialog.js+52 more
Script Paths
/wp-content/plugins/groups/lib/core/js/groups-admin.js/wp-content/plugins/groups/lib/core/js/groups-user.js/wp-content/plugins/groups/lib/core/js/groups-tools.js/wp-content/plugins/groups/lib/core/js/groups-select.js/wp-content/plugins/groups/lib/core/js/groups-autocomplete.js/wp-content/plugins/groups/lib/core/js/groups-form.js+23 more
Version Parameters
groups/lib/core/js/groups-admin.js?ver=groups/lib/core/js/groups-user.js?ver=groups/lib/core/js/groups-tools.js?ver=groups/lib/core/js/groups-select.js?ver=groups/lib/core/js/groups-autocomplete.js?ver=groups/lib/core/js/groups-form.js?ver=groups/lib/core/js/groups-modal.js?ver=groups/lib/core/js/groups-dialog.js?ver=groups/lib/core/js/groups-date.js?ver=groups/lib/core/js/groups-gallery.js?ver=groups/lib/core/js/groups-media.js?ver=groups/lib/core/js/groups-tree.js?ver=groups/lib/core/js/groups-user-fields.js?ver=groups/lib/core/js/groups-user-roles.js?ver=groups/lib/core/js/groups-user-permissions.js?ver=groups/lib/core/js/groups-user-capabilities.js?ver=groups/lib/core/js/groups-user-groups.js?ver=groups/lib/core/js/groups-user-fields-admin.js?ver=groups/lib/core/js/groups-user-fields-edit.js?ver=groups/lib/core/js/groups-user-fields-view.js?ver=groups/lib/core/js/groups-user-fields-admin-edit.js?ver=groups/lib/core/js/groups-user-fields-admin-view.js?ver=groups/lib/core/js/groups-user-fields-admin-edit-view.js?ver=groups/lib/core/js/groups-user-fields-admin-edit-view-edit.js?ver=groups/lib/core/js/groups-user-fields-admin-edit-view-view.js?ver=groups/lib/core/js/groups-user-fields-admin-edit-view-admin-edit.js?ver=groups/lib/core/js/groups-user-fields-admin-edit-view-admin-view.js?ver=groups/lib/core/js/groups-user-fields-admin-edit-view-admin-edit-view.js?ver=groups/lib/blocks/build/index.js?ver=groups/lib/core/css/groups-admin.css?ver=groups/lib/core/css/groups-user.css?ver=groups/lib/core/css/groups-tools.css?ver=groups/lib/core/css/groups-select.css?ver=groups/lib/core/css/groups-autocomplete.css?ver=groups/lib/core/css/groups-form.css?ver=groups/lib/core/css/groups-modal.css?ver=groups/lib/core/css/groups-dialog.css?ver=groups/lib/core/css/groups-date.css?ver=groups/lib/core/css/groups-gallery.css?ver=groups/lib/core/css/groups-media.css?ver=groups/lib/core/css/groups-tree.css?ver=groups/lib/core/css/groups-user-fields.css?ver=groups/lib/core/css/groups-user-roles.css?ver=groups/lib/core/css/groups-user-permissions.css?ver=groups/lib/core/css/groups-user-capabilities.css?ver=groups/lib/core/css/groups-user-groups.css?ver=groups/lib/core/css/groups-user-fields-admin.css?ver=groups/lib/core/css/groups-user-fields-edit.css?ver=groups/lib/core/css/groups-user-fields-view.css?ver=groups/lib/core/css/groups-user-fields-admin-edit.css?ver=groups/lib/core/css/groups-user-fields-admin-view.css?ver=groups/lib/core/css/groups-user-fields-admin-edit-view.css?ver=groups/lib/core/css/groups-user-fields-admin-edit-view-edit.css?ver=groups/lib/core/css/groups-user-fields-admin-edit-view-view.css?ver=groups/lib/core/css/groups-user-fields-admin-edit-view-admin-edit.css?ver=groups/lib/core/css/groups-user-fields-admin-edit-view-admin-view.css?ver=groups/lib/core/css/groups-user-fields-admin-edit-view-admin-edit-view.css?ver=groups/lib/blocks/build/style.css?ver=groups/lib/blocks/build/index.css?ver=groups/lib/access/js/groups-access-meta-boxes.js?ver=

HTML / DOM Fingerprints

CSS Classes
groups-access-meta-boxgroups-post-access-optionsgroups-access-fieldsgroups-groups-listgroups-field-groupsgroups-fields-listgroups-roles-listgroups-permissions-list+165 more
HTML Comments
<!-- Copyright (c) "kento" Karim Rahimpur www.itthinx.com --><!-- This code is released under the GNU General Public License. --><!-- See COPYRIGHT.txt and LICENSE.txt. --><!-- This code is distributed in the hope that it will be useful, -->+18 more
Data Attributes
data-groups-autocomplete-selectdata-groups-autocomplete-updatedata-groups-autocomplete-remove
JS Globals
groups_select_optionsgroups_autocomplete_options
FAQ

Frequently Asked Questions about Groups