Description
The CM Registration – Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the 'redirect_url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Published: 2025-10-11
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Update Plugin
AI Analysis

Impact

The CM Registration – Tailored tool for seamless login and invitation-based registrations accepts a 'redirect_url' parameter without proper validation, allowing an unauthenticated attacker to lure users to malicious sites. This flaw, classified as CWE-601, can be used for phishing or social engineering campaigns – inferred based on the typical exploitation pattern of open redirects, as the description does not explicitly state phishing but such use is a common consequence of this weakness.

Affected Systems

The vulnerability affects all installations of the Creative Minds Solutions CM Registration plugin version 2.5.6 and earlier. Any WordPress site running the plugin in these versions is susceptible.

Risk and Exploitability

With a CVSS score of 4.7, the risk profile is moderate, and the EPSS score of less than 1% indicates a low likelihood of exploitation at the time of this analysis. The flaw is not listed in the CISA KEV catalog. Attackers can trigger the redirect by placing a crafted 'redirect_url' in a link or form, enabling them to direct unsuspecting users to phishing domains or other malicious content.

Generated by OpenCVE AI on April 21, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CM Registration plugin to the latest version (currently >2.5.6).
  • If upgrading is infeasible, remove or enforce strict validation on the 'redirect_url' parameter to eliminate the open redirect.
  • Deploy monitoring or WAF rules to detect and block abnormal redirect behavior.

Generated by OpenCVE AI on April 21, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Creativemindssolutions
Creativemindssolutions cm Registration
Wordpress
Wordpress wordpress
Vendors & Products Creativemindssolutions
Creativemindssolutions cm Registration
Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The CM Registration – Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the 'redirect_url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Title CM Registration – Tailored tool for seamless login and invitation-based registrations <= 2.5.6 - Open Redirect
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

Creativemindssolutions Cm Registration
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:46.335Z

Reserved: 2025-09-29T16:52:35.968Z

Link: CVE-2025-11167

cve-icon Vulnrichment

Updated: 2025-10-14T13:30:23.862Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T09:15:31.997

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses