{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3282", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-04T15:25:48.467Z", "datePublished": "2025-04-12T06:37:17.798Z", "dateUpdated": "2026-04-08T17:20:48.116Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:48.116Z"}, "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type."}], "title": "User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Unauthenticated Membership Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c525b41c-dca5-442a-927e-4583cb303ed1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3268617/user-registration/trunk/modules/membership/includes/AJAX.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-04-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T16:22:30.285673Z", "id": "CVE-2025-3282", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:23:01.145Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3282", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-14T16:22:30.285673Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:22:47.819Z"}}], "cna": {"title": "User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Unauthenticated Membership Modification", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-11T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c525b41c-dca5-442a-927e-4583cb303ed1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3268617/user-registration/trunk/modules/membership/includes/AJAX.php"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:48.116Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3282", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:48.116Z", "dateReserved": "2025-04-04T15:25:48.467Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-12T06:37:17.798Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpeverest:user_registration_\\&_membership:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "3C8A650E-C475-497C-BEE8-940F9FC881A5", "versionEndExcluding": "4.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type."}, {"lang": "es", "value": "El complemento User Registration &amp; Membership \u2013 Custom Registration Form, Login Form, and User Profile para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 4.1.3 incluida, a trav\u00e9s de user_registration_membership_register_member(), debido a la falta de validaci\u00f3n en la clave controlada por el usuario \"membership_id\". Esto permite a atacantes no autenticados actualizar la membres\u00eda de cualquier usuario a cualquier otro tipo de membres\u00eda, activa o inactiva."}], "id": "CVE-2025-3282", "lastModified": "2025-07-08T18:32:17.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-04-12T07:15:27.003", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3268617/user-registration/trunk/modules/membership/includes/AJAX.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c525b41c-dca5-442a-927e-4583cb303ed1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:16:43.466269+00:00", "value": {"mitigation_remediation": ["Upgrade the User Registration & Membership plugin to a release that includes validation for the membership_id parameter.", "If an update is not immediately available, block or restrict access to the AJAX endpoint that accepts membership_id to prevent unauthenticated requests.", "Verify that all site memberships are current after applying the patch or blocking the endpoint to ensure no unintended changes remain."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Membership Modification"}, "threat_synthesis": {"affected_systems": "All installations of the wpeverest User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin, versions 4.1.3 and earlier. The plugin is available as a WordPress add\u2011on and can be installed on any WordPress site that uses this membership solution.", "description_and_impact": "The vulnerability originates in the user_registration_membership_register_member() function of the User Registration & Membership plugin, which accepts a membership_id parameter without validating ownership or authentication. This Insecure Direct Object Reference flaw allows an attacker to specify any membership ID and apply it to any user account, effectively granting or revoking paid or non\u2011active memberships without permission. The weakness is classified as CWE\u2011639 and results in unauthorized privilege changes that can alter user access levels across the site.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending an unauthenticated HTTP request to the plugin\u2019s AJAX endpoint and supplying a selected membership_id value, thereby reassigning memberships for arbitrary users. No additional authentication or privileged access is required to trigger the change."}}}}, "created": "2026-04-20T23:30:16.101905+00:00", "updated": "2026-04-20T23:30:16.101924+00:00", "vendors": []}