CVE-2025-2563 Scanner
CVE-2025-2563 Scanner - Privilege Escalation vulnerability in User Registration & Membership
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
10 days 9 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
User Registration & Membership is a WordPress plugin that provides front-end registration, login, and membership functionality. It is commonly used by site owners to manage user access, sell memberships, and customize registration flows. The plugin enables administrators to create multi-step forms, assign roles to users, and integrate payment methods. Its widespread usage in community sites, educational portals, and subscription services makes it a popular tool in the WordPress ecosystem. The plugin also supports user role assignment and member registration features, which are central to this vulnerability. When improperly implemented, such features can become avenues for unauthorized access and control.
This scanner targets a critical Privilege Escalation vulnerability in User Registration & Membership plugin versions up to and including 4.1.1. The vulnerability is due to insufficient restrictions in the `prepare_members_data()` function, which handles role assignment during membership registration. An unauthenticated attacker can abuse this flaw to assign the `administrator` role to a newly created account. This allows them to bypass normal registration workflows and gain full administrative access to the WordPress site. The vulnerability can be exploited through crafted POST requests without requiring existing user credentials. Due to its severity and potential for full compromise, this issue is rated critical.
The vulnerability is exploited through multiple steps that include visiting the registration page, harvesting nonce tokens and field values, and then submitting a forged request to register a new user. The attacker can then explicitly specify the role as `administrator` in a backend membership registration request. The scanner simulates this full flow by extracting dynamic values from the frontend and making backend requests to register and authenticate a new admin user. The plugin’s lack of server-side validation on role assignments makes this attack possible. Once registered, the scanner verifies admin access by logging in and checking for the user's presence in the administrator user list.
Exploitation allows unauthenticated attackers to gain administrator privileges, giving them unrestricted control over the affected WordPress installation. This includes installing malicious plugins or themes, modifying site content, creating or deleting users, and exfiltrating sensitive data. The issue poses a major risk in publicly exposed registration systems and undermines the integrity of the entire site. It may also serve as an initial access point for more advanced attacks like lateral movement or data destruction. Immediate remediation is necessary to prevent exploitation in the wild.
REFERENCES
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-411-unauthenticated-privilege-escalation
- https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership-plugin-4-1-2-unauthenticated-privilege-escalation-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-2563
