CVE-2025-2563

Published Apr 14, 2025

Last updated 11 days ago

CVSS high 8.1
WordPress

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-2563 is a critical security vulnerability found in the "User Registration & Membership" WordPress plugin. This flaw allows unauthenticated attackers to create new user accounts with administrator privileges. The vulnerability exists in versions up to and including 4.1.1 of the plugin. The vulnerability is due to insufficient restrictions on role type in the 'prepare_members_data()' function. Successful exploitation requires the membership add-on to be activated and registered users not needing confirmation. The plugin developers have released versions 4.1.2 (free version) and 5.1.2 (pro version) to address the vulnerability.

Description
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
Source
contact@wpscan.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

23

  1. 🚨 CVE-2025-2563 🚨 I have developed a Metasploit module to exploit an unauthenticated privilege escalation in the WordPress User Registration & Membership plugin (Free < 4.1.2, Pro < 5.1.2) [+70k installs]. PR: https://t.co/bXHNmhYmZT https://t.co/aWyviLAFt6

    @Chocapikk_

    9 May 2025

    10060 Impressions

    39 Retweets

    187 Likes

    87 Bookmarks

    2 Replies

    0 Quotes

  2. CVE-2025-2563 04/14/2025 06:15:16 AM BaseSeverity: HIGH The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enable... https://t.co/QUub3XKaI3

    @CVETracker

    14 Apr 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-2563 The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a pr… https://t.co/VuXqqxXcCr

    @CVEnew

    14 Apr 2025

    425 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 CVE-2025-2563 - critical 🚨 User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation > The User Registration & Membership plugin for WordPress is vulnerable to privilege es... 👾 https://t.co/9YwtRaBIBG @pdnuclei #Nuc...

    @pdnuclei_bot

    7 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨🚨🚨🚨🚨🚨🚨 Uma falha crítica de segurança foi descoberta no plugin WordPress “User Registration & Membership”, amplamente utilizado em sites com funcionalidades de cadastro e controle de acesso. Catalogada como CVE-2025-2563 e com pontuação CVSS de 9.8, a vulnerabilidade

    @MarcelloBRUS

    29 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Details about the User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation - CVE-2025-2563: https://t.co/swFyg8XC7j #WordPress #PluginSecurity #UpdateNow

    @the_pesc

    29 Mar 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. WordPress Plugin CVE-2025-2563 Scores 9.8, Threatens Thousands of Membership Sites A critical security vulnerability has been discovered in the “User Registration & Membership” WordPress plugin. https://t.co/DpP9n5DCnt

    @the_yellow_fall

    27 Mar 2025

    504 Impressions

    3 Retweets

    10 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.