CVE-2025-2563

The User Registration & Membership  WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
WPScanCNA
---
---
CISA-ADPADP
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
wpeverestuser_registration_\&_membership
𝑥
< 4.1.2
wpeverestuser_registration_\&_membership
𝑥
< 5.1.2
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/2c0f62a1-9510-4f90-a297-17634e6c8b75/