cbcvebase.
CVE-2025-34077
published 2025-07-09

CVE-2025-34077: An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary…

PriorityP181critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
9.90%
95.0th percentile
An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.

Affected

1 ranges
VendorProductVersion rangeFixed in
genetech_solutionswordpress_pie_register_plugin<= 3.7.1.4

Detection & IOCsextracted from sources · hover to see the quote

url/?pr_social_login=1
url/wp-admin/plugin-install.php?upload
path/wp-content/plugins/evilplugin/shell.php
path/wp-content/plugins/pie-register/
filenameevilplugin.zip
filenameshell.php
cookiewordpress_logged_in_
commandPOST /?pr_social_login=1 with body: user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null
  • Detect authentication bypass attempts by monitoring POST requests to /?pr_social_login=1 containing both 'social_site=true' and 'user_id_social_site' parameters from unauthenticated sessions.
  • Alert on POST requests to /wp-admin/plugin-install.php?upload immediately following a session cookie set via the pr_social_login endpoint, as this indicates the RCE chaining step.
  • Monitor for creation of new PHP files under /wp-content/plugins/ shortly after a plugin upload via wp-admin, especially files named shell.php or within newly created plugin directories.
  • Detect the exploit's multipart file upload of a ZIP archive to the plugin install endpoint; look for multipart/form-data POST to plugin-install.php?upload with a field named 'pluginzip'.
  • Successful exploitation is confirmed by the string 'Plugin installed successfully' in the HTTP response body following the malicious plugin upload.
  • The Metasploit module for this CVE targets WordPress Plugin Pie Register <= 3.7.1.4; use version detection on the plugin to identify vulnerable installations.
  • ·The exploit targets user_id_social_site=1 (default admin ID) but any arbitrary user ID can be supplied; detection rules should match on the presence of the parameter rather than a specific value.
  • ·The Nuclei template uses a two-step detection chain (auth bypass then dashboard access check); single-request detections may miss the full exploit flow.
  • ·The exploit script uses 100 concurrent threads for mass scanning; high-volume parallel POST requests to /?pr_social_login=1 from a single source IP is a strong mass-exploitation indicator.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.