Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-2563 — Authorization Bypass Through User-Controlled Key in User Registration Membership

CWE-639 — Authorization Bypass Through User-Controlled Key6 documents6 sources

Severity

8.1HIGHNVD

EPSS

83.9%

top 0.70%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Wpeverest User Registration Membership

Timeline

PublishedApr 14

Description

The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

▶NVDwpeverest/user_registration_membership< 4.1.2+1

🔴Vulnerability Details

GHSA

GHSA-jxh5-f52q-732j: The User Registration & Membership WordPress plugin before 4↗2025-04-14

▶

CVEList

User Registration & Membership < 4.1.2- Unauthenticated Privilege Escalation↗2025-04-14

▶

VulnCheck

User Registration & Membership WordPress Plugin Membership Addon Privilege Escalation↗2025

▶

💥Exploits & PoCs

Nuclei

User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation

▶

Metasploit

WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)↗

▶