CVE-2025-2594: User Registration & Membership < 4.1.3 - Authentication Bypass

Description

The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when the Membership Addon is enabled, allowing attackers to authenticate as any user, including administrators, by simply using the target account's user ID.

Classification

CVE ID: CVE-2025-2594

Problem Types

CWE-287 Improper Authentication

Affected Products

Vendor: Unknown

Product: User Registration & Membership

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.71% (scored less or equal to compared to others)

EPSS Date: 2025-05-21 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2594
https://wpscan.com/vulnerability/1c1be47a-d5c0-4ac1-b9fd-475b382a7d8f/

Timeline

2025-04-22 07:40:11 UTC
CVE

User Registration & Membership < 4.1.3 - Authentication Bypass