cbcvebase.
CVE-2025-2594
published 2025-04-22

CVE-2025-2594: The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when the Membership Addon is enabled…

PriorityP267high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
7.25%
93.6th percentile
The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when the Membership Addon is enabled, allowing attackers to authenticate as any user, including administrators, by simply using the target account's user ID.

Affected

2 ranges
VendorProductVersion rangeFixed in
wpeverestuser_registration_membership< 4.1.34.1.3
wpeverestuser_registration_membership< 5.1.35.1.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=user_registration_membership_confirm_payment
commandform_response={"auto_login": true}
  • Alert on multipart/form-data POST bodies to admin-ajax.php that include both 'auto_login: true' in the form_response field and a numeric member_id — this is the exact payload pattern used to hijack arbitrary accounts.
  • Flag successful (HTTP 200 + JSON '"success":true') responses to the above AJAX action from unauthenticated or low-privilege sessions, as this indicates a successful authentication bypass.
  • Prioritize monitoring for member_id=1 (or other low integer IDs) in the POST body, as attackers typically target the administrator account first.
  • ·The vulnerability is only exploitable when the Membership Addon is enabled within the User Registration & Membership plugin. Installations without this addon active are not affected.
  • ·A valid nonce (_confirm_payment_nonce) is required by the exploit, meaning the attacker must first obtain this value from a registration page — detections should also watch for reconnaissance of nonce values on registration flows.
  • ·Affected versions are <= 4.1.2; the fix is present in version 4.1.3 and later. Ensure the plugin is updated to at least 4.1.3.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.