Cyber Resilience

CVE-2026-25357

High

Published: 25 March 2026

Published
25 March 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 25.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25357 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-14 (Permitted Actions Without Identification or Authentication).

Deeper analysis

CVE-2026-25357 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Ultimate Membership Pro WordPress plugin, developed by azzaroco and also known as indeed-membership-pro. This flaw enables Authentication Abuse and affects all versions of the plugin up to and including 13.7. The vulnerability carries a CVSS v3.1 base score of 8.1 (High), reflecting network accessibility, high attack complexity, no required privileges or user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network, bypassing authentication mechanisms through an alternate path or channel to achieve account takeover. Successful exploitation grants attackers full control over targeted user accounts, potentially leading to unauthorized access to sensitive data, privilege escalation, or further compromise of the WordPress site.

The Patchstack advisory details this account takeover vulnerability specifically in Ultimate Membership Pro plugin version 13.7 and serves as a key reference for mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The CVE describes an unauthenticated remote authentication bypass in a public-facing WordPress plugin that directly enables exploitation of the application (T1190) and results in full control of valid user accounts for subsequent abuse (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-6895Shared CWE-288
CVE-2026-29139Shared CWE-288
CVE-2025-26966Shared CWE-288
CVE-2024-13182Shared CWE-288
CVE-2025-23504Shared CWE-288
CVE-2025-7444Shared CWE-288
CVE-2025-7642Shared CWE-288
CVE-2025-8359Shared CWE-288
CVE-2025-1564Shared CWE-288
CVE-2026-27389Shared CWE-288

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws, directly preventing exploitation of this authentication bypass vulnerability in the Ultimate Membership Pro plugin.

prevent

Enforces approved authorizations for access to system resources, mitigating unauthorized account takeover via alternate paths that bypass authentication.

prevent

Explicitly identifies and authorizes actions performable without identification or authentication, reducing risks from alternate channels enabling authentication abuse.

References