CVE-2025-3282

Medium CVSS: 5.3

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type.

Vendor

Wpeverest

Product

User Registration \& Membership

CWE

CWE-639

Yayın Tarihi

2025-04-12 07:15:27

Güncelleme

2025-07-08 18:32:17

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-639 User Registration \& Membership MEDIUM Wpeverest 2025

Referanslar

https://plugins.trac.wordpress.org/changeset/3268617/user-registration/trunk/modules/membership/includes/AJAX.php https://www.wordfence.com/threat-intel/vulnerabilities/id/c525b41c-dca5-442a-927e-4583cb303ed1?source=cve

Benzer Kayıtlar

Critical

CVE-2025-60210

Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms - Frontend Listing everest-forms-frontend-lis…

High

CVE-2025-5927

The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path vali…

Medium

CVE-2024-8542

The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow…

Medium

CVE-2025-26841

Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code…

Medium

CVE-2025-39400

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Reg…

High

CVE-2025-2594

The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when…