{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3292", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-04T16:58:34.203Z", "datePublished": "2025-04-12T06:37:16.694Z", "dateUpdated": "2026-04-08T16:54:53.830Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:53.830Z"}, "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email."}], "title": "User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Password Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59a63cd8-9d33-4a2c-a499-5b1ee38c07d6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/4.1.3/includes/class-ur-ajax.php#L323"}, {"url": "https://plugins.trac.wordpress.org/changeset/3268617/user-registration/trunk/includes/class-ur-ajax.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-04-11T17:44:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T16:25:21.064430Z", "id": "CVE-2025-3292", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:26:16.498Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3292", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-14T16:25:21.064430Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T16:26:09.732Z"}}], "cna": {"title": "User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Password Update", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-11T17:44:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59a63cd8-9d33-4a2c-a499-5b1ee38c07d6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/4.1.3/includes/class-ur-ajax.php#L323"}, {"url": "https://plugins.trac.wordpress.org/changeset/3268617/user-registration/trunk/includes/class-ur-ajax.php"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:53.830Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3292", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:53.830Z", "dateReserved": "2025-04-04T16:58:34.203Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-12T06:37:16.694Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpeverest:user_registration_\\&_membership:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "6640CB90-56BC-4065-BF6D-2FE498EA0B30", "versionEndExcluding": "4.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email."}, {"lang": "es", "value": "El complemento User Registration &amp; Membership \u2013 Custom Registration Form, Login Form, and User Profile para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 4.1.3 incluida, a trav\u00e9s de user_registration_update_profile_details(), debido a la falta de validaci\u00f3n en la clave de usuario 'user_id'. Esto permite que atacantes no autenticados actualicen las contrase\u00f1as de otros usuarios si tienen acceso a su ID y correo electr\u00f3nico."}], "id": "CVE-2025-3292", "lastModified": "2025-07-08T18:31:04.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-04-12T07:15:27.143", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/4.1.3/includes/class-ur-ajax.php#L323"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3268617/user-registration/trunk/includes/class-ur-ajax.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59a63cd8-9d33-4a2c-a499-5b1ee38c07d6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:20:14.528273+00:00", "value": {"mitigation_remediation": ["Upgrade the User Registration & Membership plugin to version 4.1.4 or later to eliminate the missing validation bug.", "Ensure that the AJAX endpoint handling profile updates is protected behind authentication checks and, if possible, limit its exposure to logged\u2011in users only.", "Audit account activity for sudden password changes and enforce multi\u2011factor authentication on user accounts to mitigate potential account takeover.\n"], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated alteration of another user's password enabling account takeover"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin of version 4.1.3 or earlier. The affected product is published by wpeverest and is commonly titled \"User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder.\" Users running any release through 4.1.3 must review and upgrade.", "description_and_impact": "The vulnerability arises from missing validation on the user_id parameter in the User Registration & Membership \u2013 Custom Registration Form, Login Form and User Profile plugin. An attacker who can guess or otherwise obtain a target user's ID and email can submit a crafted request to the user_registration_update_profile_details function via an AJAX endpoint and force the plugin to overwrite the target's password. The result is irreversible credential modification that grants the attacker full access to the victim's account, potentially compromising any sensitive content or services associated with that account. The weakness is classified as CWE\u2011639, illustrating improper restriction of recursive self\u2011scheduling or data access. Since the plugin performs no check to confirm that the requestor is the legitimate profile owner, the impact is limited to the confidentiality and integrity of the victim's account rather than system-wide exploitation.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity driven by confidentiality impact. The EPSS score is reported as less than 1%, implying a very low probability of real\u2010world exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited known exploitation pressure. Even with these low metrics, the potential for an attacker to gain control of victim accounts remains high, especially in sites that expose the AJAX endpoint to unauthenticated users or have weak user enumeration. The attack vector is inferred to be HTTP requests to the AJAX endpoint where the attacker supplies a valid user_id and email pair, potentially via brute force or open directory listings.\n"}}}}, "created": "2026-04-21T21:30:45.741568+00:00", "updated": "2026-04-21T21:30:45.741626+00:00", "vendors": []}