cbcvebase.
CVE-2025-2563
published 2025-04-14

CVE-2025-2563: The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading…

PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
44.41%
98.6th percentile
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges

Affected

2 ranges
VendorProductVersion rangeFixed in
wpeverestuser_registration_membership< 4.1.24.1.2
wpeverestuser_registration_membership< 5.1.25.1.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
url/membership-registration/
commandaction=user_registration_user_form_submit
commandaction=user_registration_membership_register_member
filenameuser-registration.4.1.1.zip
  • Detect unauthenticated POST to /wp-admin/admin-ajax.php with action=user_registration_membership_register_member and role=administrator in the body — this is the privilege escalation step.
  • Detect unauthenticated POST to /wp-admin/admin-ajax.php with action=user_registration_user_form_submit — this is the initial registration step of the two-stage exploit chain.
  • A successful exploitation response for the membership escalation step contains 'New member has been successfully created.' and 'member_id' and '"success":true' in the response body.
  • A successful registration step response contains 'success_message_positon', the registered username, and '"success":true' in the response body.
  • Full exploit chain: (1) register free-membership user via AJAX, (2) elevate to administrator via membership AJAX action, (3) log in and upload/execute a PHP payload.
  • The vulnerability is only exploitable when the Membership Addon is enabled; check for the presence of the membership registration page and the ur_membership_frontend_localized_data JS variable.
  • Look for the nonce extraction pattern 'ur_membership_frontend_localized_data = {"_nonce":' in page source — its presence confirms the vulnerable membership addon is active.
  • ·The exploit only works when the Membership Addon is enabled in the User Registration & Membership plugin; the vulnerability does not exist in default plugin installations without this addon.
  • ·Affected versions are <= 4.1.1; version 4.1.2 patches the issue.
  • ·The exploit was tested on WordPress 6.4.3; behavior on other WordPress versions may differ.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.