CVE-2025-2563
published 2025-04-14CVE-2025-2563: The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading…
PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
44.41%
98.6th percentile
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpeverest | user_registration_membership | < 4.1.2 | 4.1.2 |
| wpeverest | user_registration_membership | < 5.1.2 | 5.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST to /wp-admin/admin-ajax.php with action=user_registration_membership_register_member and role=administrator in the body — this is the privilege escalation step. ↗
- →Detect unauthenticated POST to /wp-admin/admin-ajax.php with action=user_registration_user_form_submit — this is the initial registration step of the two-stage exploit chain. ↗
- →A successful exploitation response for the membership escalation step contains 'New member has been successfully created.' and 'member_id' and '"success":true' in the response body. ↗
- →A successful registration step response contains 'success_message_positon', the registered username, and '"success":true' in the response body. ↗
- →Full exploit chain: (1) register free-membership user via AJAX, (2) elevate to administrator via membership AJAX action, (3) log in and upload/execute a PHP payload. ↗
- →The vulnerability is only exploitable when the Membership Addon is enabled; check for the presence of the membership registration page and the ur_membership_frontend_localized_data JS variable. ↗
- →Look for the nonce extraction pattern 'ur_membership_frontend_localized_data = {"_nonce":' in page source — its presence confirms the vulnerable membership addon is active. ↗
- ·The exploit only works when the Membership Addon is enabled in the User Registration & Membership plugin; the vulnerability does not exist in default plugin installations without this addon. ↗
- ·Affected versions are <= 4.1.1; version 4.1.2 patches the issue. ↗
- ·The exploit was tested on WordPress 6.4.3; behavior on other WordPress versions may differ. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jxh5-f52q-732j: The User Registration & Membership WordPress plugin before 4
ghsa_unreviewed·2025-04-14
CVE-2025-2563 [HIGH] GHSA-jxh5-f52q-732j: The User Registration & Membership WordPress plugin before 4
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
VulnCheck
User Registration & Membership WordPress Plugin Membership Addon Privilege Escalation
vulncheck·2025·CVSS 8.1
CVE-2025-2563 [HIGH] User Registration & Membership WordPress Plugin Membership Addon Privilege Escalation
User Registration & Membership WordPress Plugin Membership Addon Privilege Escalation
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
Affected: wpeverest user_registration_\&_membership
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership-plugin-4-1-2-unauthenticated-privilege-escalation-vulnerability
Exploit PoC: https://vulncheck.com/xdb/d
No detection rules found.
Exploit-DB
WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation
exploitdb·2025-04-08·CVSS 8.1
[HIGH] WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation
WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation
---
# Exploit Title: WordPress User Registration & Membership Plugin <= 4.1.1 - Unauthenticated Privilege Escalation
# Exploit Author: Al Baradi Joy
# Date: 2025-04-07
# Vendor Homepage: https://wordpress.org/plugins/user-registration/
# Software Link:
https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip
# Version: <= 4.1.1
# Tested on: WordPress 6.4.3
# CVSS: 9.8 (CRITICAL)
# CWE: CWE-269
# References:
# https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-411-unauthenticated-privilege-escalation
# https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership
Nuclei
User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation
nuclei·CVSS 8.1
CVE-2025-2563 [HIGH] User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation
User Registration & Membership "
internal: true
- type: regex
part: body
name: memberfieldval
group: 1
regex:
- 'id="ur-membership-select-membership-([0-9]+)+'
internal: true
- type: regex
part: body
name: memberfieldname
group: 1
regex:
- 'data-field-id="membership_field_([0-9]+)"'
internal: true
- type: regex
part: body
name: frontend_nonce
group: 1
regex:
- 'name="ur_frontend_form_nonce" value="(.*?)"'
internal: true
- type: regex
part: body
name: localized_frontend_nonce
group: 1
regex:
- 'ur_membership_frontend_localized_data = {"_nonce":"(.*?)"'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=user_registration_user_form_submit&security={{nonce}}&form_data=%5B%7B%22field_nam
Metasploit
WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)
metasploit·CVSS 8.1
CVE-2025-2563 [HIGH] WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)
WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)
Exploits CVE-2025-2563 in the WordPress User Registration & Membership plugin. 1) Registers a free-membership user via AJAX. 2) Elevates that user to administrator via the membership AJAX action. 3) Logs in, uploads & executes a PHP payload.
No writeups or analysis indexed.
2025-04-14
Published
Exploited in the wild