Description
The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
Published: 2025-04-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in UrbanGo Membership plugin for WordPress versions up to 1.0.4. During account registration, the plugin accepts a "user_register_role" field that allows the registrant to specify their role. An attacker who has no authentication can therefore create an account with the administrator role, giving full control over the WordPress site. This flaw leads to privilege escalation. CWE‑269 is an Elevation of Privilege weakness.

Affected Systems

Affected systems are WordPress sites that have the Edge‑Themes UrbanGo Membership plugin installed in version 1.0.4 or earlier. The vulnerability is present regardless of the overall WordPress version since it relies solely on the plugin's registration handling.

Risk and Exploitability

The CVSS score of 9.8 places this flaw in the critical severity range, while the EPSS score of less than 1% indicates that, at present, it is not a common exploitation vector. However, because the exploit only requires submitting a normal registration form, an attacker could create a privileged account without needing any additional access or advanced skills, making the risk significant. The vulnerability is not yet listed in the CISA KEV catalog, but admins should act promptly. The likely attack vector is an unauthenticated user sending a registration request with a crafted "user_register_role" value; no authentication or exploitation prerequisites beyond the form submission are required.

Generated by OpenCVE AI on April 21, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest UrbanGo Membership plugin version (any version newer than 1.0.4) which removes the ability to set role during public registration, or disable public registration entirely.
  • If upgrading is not possible, edit the plugin’s registration handler to discard the "user_register_role" field or enforce the default role, ensuring that new accounts default to the least privileged role (e.g., Subscriber).
  • Harden WordPress by restricting role assignment to administrators only; disable user role editing via the front‑end and confirm that the plugin does not override WordPress’s role management.

Generated by OpenCVE AI on April 21, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11929 The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
History

Mon, 21 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 19 Apr 2025 02:45:00 +0000

Type Values Removed Values Added
Description The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
Title UrbanGo Membership <= 1.0.4 - Unauthenticated Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:56.168Z

Reserved: 2025-04-04T14:25:07.846Z

Link: CVE-2025-3278

cve-icon Vulnrichment

Updated: 2025-04-21T02:47:05.322Z

cve-icon NVD

Status : Deferred

Published: 2025-04-19T03:15:13.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses