This is a bug and a serious one, one of my members who is in the registered group, via their profile page changed themselves to the moderator group!!!!!
And yes its only happens if you have the wpforo custom fields plugin installed (see evidence below). When I disabled it they could no longer change their group via their account page. To be doubly sure I tested this with my testuser account which is a normal "registered" user account.
This needs to be logged with Gvectors team and I have done so here
https://gvectors.com/forum/official-wpforo-addons/wpforo-user-custom-fields/
In the meantime I've disabled the user custom field plugin until this can be fixed by the Gvectors team. The consequence if found don't bear thinking.
With User Custom Fields Plugin enabled
As you can see from the photo above, the user can open up and change their group
Without User Custom Fields plugin enabled
The photo above shows once the plugin is disabled, they can no longer change their group
Just checked this and indeed the user can change their group, for me only to Customer (no other group shows as selection available).
No moderator or admin or any other dangerous option.
I'm not using any custom field plugin or whatever. In any case that option should NOT be even visible to anyone but maybe the admins. Why a user should be able to change their group !!
In light if the above comment I did a bit more digging. This now appears to be actually a "Registered" group problem.
All members of this group can access the "change group" on their account page, only admins should.
I logged in as a moderator and interestingly the "moderator" group do not have access to the "change group", that's good.
I then created a "test" usergroup, copied the "registered" usergroup settings to the "test" usergroup. Moved a member from the "registered" usergroup into the new "test" usergroup, low and behold they can no longer access the "change group" option on their account page.
Why the "registered" usergroup allows "change" usergroup" is a mystery.
This might after all be forum related and within the remit of the guys here to fix, especially in light that @maccast & @anonymous20 do not have the plugin.
Its worth others who have this problem following the actions I did above to see if it pans out the same.
In light if the above comment I did a bit more digging. This now appears to be actually a "Registered" group problem.
All members of this group can access the "change group" on their account page, only admins should.
I logged in as a moderator and interestingly the "moderator" group do not have access to the "change group", that's good.
True !!!
As I now have the "test" usergroup I'm tempted to delete the "registered" usergroup ensuring I use the option "Delete Chosen Usergroup And Join Users To Other Usergroup", other being the "test" usergroup.
Then recreate the "Registered" usergroup and move everyone back. In theory and in light of all the above, recreating it, might fix it. Then again perhaps its best left alone for the wpForo guys to address the root cause.
