WordPress Plugin CVE-2025-2563 Scores 9.8, Threatens Thousands of Membership Sites

A critical security vulnerability has been discovered in the “User Registration & Membership” WordPress plugin, a popular tool for creating membership websites and registration forms. The flaw, identified as CVE-2025-2563, carries a CVSS score of 9.8, indicating its high severity.

The User Registration & Membership plugin simplifies the process of integrating members into WordPress websites. It offers a comprehensive membership ecosystem with features like registration forms, membership groups, login forms, user profiles, and content restriction. With over 60,000 active installations, this plugin is widely used within the WordPress community.

The vulnerability lies in the plugin’s “prepare_members_data()” function. Due to insufficient restrictions on the role type, unauthenticated attackers can exploit this flaw to create new user accounts with administrator privileges. This privilege escalation poses a significant risk, as attackers can gain full control of affected WordPress websites.

The affected versions of the plugin include those up to, and including, 4.1.1.

To address this critical vulnerability, the plugin developers have released version 4.1.2. Users are strongly advised to update their plugin to this latest version as soon as possible to secure their websites against potential attacks.

Related Posts:

• CVE-2024-43240 & CVE-2024-43242 in Ultimate Membership Pro Plugin Put 40,000 Websites at Risk
• WCFM Membership WordPress Plugin (CVE-2022-4939) Vulnerability Exposes Thousands of Websites to Attacks
• Infoblox Uncovers Malicious Wave in .US Domain Registrations