cbcvebase.
CVE-2025-4334
published 2025-06-26

CVE-2025-4334: The Simple User Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3. This is due to insufficient…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.05%
78.9th percentile
The Simple User Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3. This is due to insufficient restrictions on user meta values that can be supplied during registration. This makes it possible for unauthenticated attackers to register as an administrator.

Affected

2 ranges
VendorProductVersion rangeFixed in
najeebmediasimple_user_registration<= 6.3
nmediasimple_user_registration<= 6.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=wpr_submit_form&wpr%5Bwp_field%5D%5Brole%5D=administrator
path/wp-content/plugins/simple-user-registration/
  • Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the parameter 'action=wpr_submit_form' combined with 'wpr[wp_field][role]=administrator' in the body, indicating an unauthenticated privilege escalation attempt.
  • Successful exploitation is confirmed when the response to the admin-ajax.php POST contains both 'user_id' and 'Registration Done', indicating a new administrator account was created.
  • Presence of 'WPR Register' in the /register/ page body confirms the vulnerable Simple User Registration plugin is active on the target WordPress site.
  • Use Shodan query to identify exposed WordPress instances with the Simple User Registration plugin installed.
  • The exploit requires a valid wpr_nonce extracted from the registration page; monitor for automated GET requests to /register/ followed immediately by POST to /wp-admin/admin-ajax.php from the same source IP as a two-step attack pattern.
  • ·The exploit requires a valid wpr_nonce and wpr_form_id extracted dynamically from the /register/ page before submitting the privilege escalation POST request; static replay of the payload alone will not succeed.
  • ·The vulnerability affects all versions up to and including 6.3 of the Simple User Registration plugin; versions beyond 6.3 are not confirmed vulnerable.
  • ·The attack is unauthenticated and requires no prior privileges; the X-Requested-With: XMLHttpRequest header must be present in the POST request for the AJAX handler to process the registration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.