CVE-2025-34077
Published: 09 July 2025
Summary
CVE-2025-34077 is a critical-severity Code Injection (CWE-94) vulnerability in Pieregister (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An authentication bypass vulnerability affects the WordPress Pie Register plugin up to version 3.7.1.4. The flaw resides in the login handling logic and permits unauthenticated attackers to submit a specially crafted POST request containing social_site=true and a manipulated user_id_social_site parameter. Successful exploitation issues a valid WordPress session cookie for any chosen user identifier, including administrator accounts. The associated CVSS 4.0 score of 10.0 reflects the absence of required authentication, privileges, or user interaction together with full impact on confidentiality, integrity, and availability.
Once authenticated, an attacker can leverage the plugin’s upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server. The attack can therefore be carried out by any remote, unauthenticated party and yields complete control over the WordPress site and host. Public references include a Metasploit module that implements the bypass and subsequent RCE chain, confirming that working exploit code is readily available.
The current EPSS score of 0.7624, with a recorded peak of 0.7728, indicates sustained and substantial exploitation interest following disclosure. No specific patch version or mitigation guidance is supplied in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20764
Vulnerability details
An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an…
more
attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.