CVE-2025-2594
Published: 22 April 2025
Summary
CVE-2025-2594 is a high-severity an unspecified weakness vulnerability in Wpeverest User Registration \& Membership. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability affects the User Registration & Membership WordPress plugin prior to version 4.1.3. When the Membership Addon is enabled, an AJAX action fails to properly validate supplied data, enabling authentication bypass by supplying only a target user's numeric ID.
An unauthenticated remote attacker can exploit the flaw over the network by invoking the affected AJAX endpoint with a chosen user ID. Successful exploitation grants the attacker a valid session as that user, including administrator accounts, resulting in full compromise of confidentiality, integrity, and availability within the WordPress site.
The referenced WPScan advisory identifies the issue in versions before 4.1.3 and indicates that updating to 4.1.3 or later resolves the improper validation.
The EPSS score stands at 0.2845 with no indicated increase from a lower baseline. No public evidence of active exploitation is provided in the available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12286
Vulnerability details
The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when the Membership Addon is enabled, allowing attackers to authenticate as any user, including administrators, by simply using the target account's user…
more
ID.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.