CVE-2025-34077
published 2025-07-09CVE-2025-34077: An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary…
PriorityP181critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
9.90%
95.0th percentile
An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| genetech_solutions | wordpress_pie_register_plugin | <= 3.7.1.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /?pr_social_login=1 with body: user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null↗
- →Detect authentication bypass attempts by monitoring POST requests to /?pr_social_login=1 containing both 'social_site=true' and 'user_id_social_site' parameters from unauthenticated sessions. ↗
- →Alert on POST requests to /wp-admin/plugin-install.php?upload immediately following a session cookie set via the pr_social_login endpoint, as this indicates the RCE chaining step. ↗
- →Monitor for creation of new PHP files under /wp-content/plugins/ shortly after a plugin upload via wp-admin, especially files named shell.php or within newly created plugin directories. ↗
- →Detect the exploit's multipart file upload of a ZIP archive to the plugin install endpoint; look for multipart/form-data POST to plugin-install.php?upload with a field named 'pluginzip'. ↗
- →Successful exploitation is confirmed by the string 'Plugin installed successfully' in the HTTP response body following the malicious plugin upload. ↗
- →The Metasploit module for this CVE targets WordPress Plugin Pie Register <= 3.7.1.4; use version detection on the plugin to identify vulnerable installations. ↗
- ·The exploit targets user_id_social_site=1 (default admin ID) but any arbitrary user ID can be supplied; detection rules should match on the presence of the parameter rather than a specific value. ↗
- ·The Nuclei template uses a two-step detection chain (auth bypass then dashboard access check); single-request detections may miss the full exploit flow. ↗
- ·The exploit script uses 100 concurrent threads for mass scanning; high-volume parallel POST requests to /?pr_social_login=1 from a single source IP is a strong mass-exploitation indicator. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
exploitdb·2025-07-22·CVSS 10.0
CVE-2025-34077 [CRITICAL] Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
---
# Exploit Title: Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
# Google Dork: inurl:/wp-content/plugins/pie-register/
# Date: 2025-07-09
# Exploit Author: Md Amanat Ullah (xSwads)
# Vendor Homepage: https://wordpress.org/plugins/pie-register/
# Software Link:
https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
# Version: "
PLUGIN_DIR = "evilplugin"
ZIP_NAME = "evilplugin.zip"
SHELL_FILE = "shell.php"
OUTPUT_FILE = "Shells.txt"
HEADERS = {'User-Agent': 'Mozilla/5.0'}
TIMEOUT = 10
lock = Lock()
def FilterURLS(site):
site = site.strip()
if not site.startswith(('http://', 'https://')):
site = 'http://' + site
if not site.endswith('/'):
site += '/'
return site
def make_shell_zip():
bu
Nuclei
WordPress Pie Register <= 3.7.1.4 - Authentication Bypass
nuclei·CVSS 10.0
CVE-2025-34077 [CRITICAL] WordPress Pie Register <= 3.7.1.4 - Authentication Bypass
WordPress Pie Register <= 3.7.1.4 - Authentication Bypass
An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators.Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
Template:
id: CVE-2025-34077
info:
name: WordPress Pie Register <= 3.7.1.4 - Authentication Bypass
author: kylew1004
severity: critical
descr
Metasploit
WordPress Plugin Pie Register Auth Bypass to RCE
metasploit
WordPress Plugin Pie Register Auth Bypass to RCE
WordPress Plugin Pie Register Auth Bypass to RCE
This module uses an authentication bypass vulnerability in Wordpress Plugin Pie Register <= 3.7.1.4 to generate a valid cookie. With this cookie, hopefully of the admin, it will generate a plugin, pack the payload into it and upload it to a server running WordPress.
No writeups or analysis indexed.
https://github.com/GTSolutions/Pie-Registerhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_pie_register_bypass_rce.rbhttps://pieregister.com/https://vulncheck.com/advisories/wordpress-pie-register-plugin-rcehttps://wordpress.org/plugins/pie-register/https://www.exploit-db.com/exploits/50395
2025-07-09
Published