CVE-2025-2563
Published: 14 April 2025
Summary
CVE-2025-2563 is a high-severity an unspecified weakness vulnerability in Wpeverest User Registration \& Membership. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability affects the User Registration & Membership WordPress plugin prior to version 4.1.2. When the Membership Addon is enabled, the plugin fails to restrict users from setting their own account role during registration, resulting in a privilege escalation flaw that permits unauthenticated attackers to assign themselves administrative privileges.
An unauthenticated remote attacker can exploit the issue over the network by submitting a crafted registration request that specifies an elevated role such as administrator. Successful exploitation grants full control over the WordPress site, including the ability to modify content, manage users, and execute arbitrary code.
The referenced WPScan advisory identifies the flaw in versions before 4.1.2 and indicates that updating to 4.1.2 or later resolves the missing role restriction. The EPSS score has reached a peak of 0.8922 with a current value of 0.8768, reflecting sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10866
Vulnerability details
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.