{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3281", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-04T15:15:57.202Z", "datePublished": "2025-05-06T07:24:21.668Z", "dateUpdated": "2026-04-08T16:44:47.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:47.691Z"}, "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin."}], "title": "User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile <= 4.2.1 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30339ff6-b6bf-4c56-b6cd-db0b8a6ce8b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/4.1.3/modules/membership/includes/AJAX.php#L619"}, {"url": "https://plugins.trac.wordpress.org/changeset/3287698/user-registration/trunk/modules/membership/includes/AJAX.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-05-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-06T13:25:12.947564Z", "id": "CVE-2025-3281", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T13:25:25.517Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-06T13:25:12.947564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T13:25:20.792Z"}}], "cna": {"title": "User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile <= 4.2.1 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-05T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30339ff6-b6bf-4c56-b6cd-db0b8a6ce8b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/4.1.3/modules/membership/includes/AJAX.php#L619"}, {"url": "https://plugins.trac.wordpress.org/changeset/3287698/user-registration/trunk/modules/membership/includes/AJAX.php"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-06T07:24:21.668Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3281", "state": "PUBLISHED", "dateUpdated": "2025-05-06T13:25:25.517Z", "dateReserved": "2025-04-04T15:15:57.202Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-06T07:24:21.668Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin."}, {"lang": "es", "value": "El complemento User Registration &amp; Membership \u2013 Custom Registration Form, Login Form, and User Profile para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 4.2.1 incluida, a trav\u00e9s de la funci\u00f3n create_stripe_subscription(), debido a la falta de validaci\u00f3n en la clave controlada por el usuario \"member_id\". Esto permite a atacantes no autenticados eliminar cuentas de usuario arbitrarias registradas a trav\u00e9s del complemento."}], "id": "CVE-2025-3281", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-06T08:15:16.707", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/4.1.3/modules/membership/includes/AJAX.php#L619"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3287698/user-registration/trunk/modules/membership/includes/AJAX.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30339ff6-b6bf-4c56-b6cd-db0b8a6ce8b6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T11:29:43.886262+00:00", "value": {"mitigation_remediation": ["Upgrade the User Registration & Membership plugin to the latest released version that includes a fix for the vulnerable create_stripe_subscription() function.", "If an upgrade is not possible, restrict access to the AJAX endpoint that processes create_stripe_subscription() by denying all non\u2011admin requests or by enforcing proper authentication checks before allowing deletion.", "Modify the create_stripe_subscription() function to validate the member_id parameter against the authenticated user\u2019s ID or ensure that the user has privileged status before performing deletion."], "summary": {"action": "Apply Patch", "impact": "User Account Deletion"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the User Registration & Membership plugin version 4.2.1 or earlier are affected. The vulnerability exists in the membership component of the plugin, and any site that has installed or activated this plugin version is at risk.", "description_and_impact": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CWE-639) in the create_stripe_subscription() function. Because the plugin does not validate the member_id parameter supplied by the user, an attacker who is not authenticated can request that the function delete any user account that was registered through the plugin. This deletion removes the user\u2019s data and credentials, potentially disrupting site functionality and allowing the attacker to compromise the reputation of the site\u2019s user base.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating moderate severity, and the EPSS score is reported as less than 1\u202f%, implying a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be an unauthenticated HTTP request to the plugin\u2019s AJAX endpoint, where the attacker provides a crafted member_id value. Since the function accepts the parameter without checks, the deletion proceeds without authentication."}}}}, "created": "2026-04-28T11:30:29.837667+00:00", "updated": "2026-04-28T11:30:29.837678+00:00", "vendors": []}