Description
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email.
Published: 2025-04-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated alteration of another user's password enabling account takeover
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from missing validation on the user_id parameter in the User Registration & Membership – Custom Registration Form, Login Form and User Profile plugin. An attacker who can guess or otherwise obtain a target user's ID and email can submit a crafted request to the user_registration_update_profile_details function via an AJAX endpoint and force the plugin to overwrite the target's password. The result is irreversible credential modification that grants the attacker full access to the victim's account, potentially compromising any sensitive content or services associated with that account. The weakness is classified as CWE‑639, illustrating improper restriction of recursive self‑scheduling or data access. Since the plugin performs no check to confirm that the requestor is the legitimate profile owner, the impact is limited to the confidentiality and integrity of the victim's account rather than system-wide exploitation.

Affected Systems

All WordPress installations that use the User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin of version 4.1.3 or earlier. The affected product is published by wpeverest and is commonly titled "User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder." Users running any release through 4.1.3 must review and upgrade.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity driven by confidentiality impact. The EPSS score is reported as less than 1%, implying a very low probability of real‐world exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited known exploitation pressure. Even with these low metrics, the potential for an attacker to gain control of victim accounts remains high, especially in sites that expose the AJAX endpoint to unauthenticated users or have weak user enumeration. The attack vector is inferred to be HTTP requests to the AJAX endpoint where the attacker supplies a valid user_id and email pair, potentially via brute force or open directory listings.

Generated by OpenCVE AI on April 21, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Registration & Membership plugin to version 4.1.4 or later to eliminate the missing validation bug.
  • Ensure that the AJAX endpoint handling profile updates is protected behind authentication checks and, if possible, limit its exposure to logged‑in users only.
  • Audit account activity for sudden password changes and enforce multi‑factor authentication on user accounts to mitigate potential account takeover.

Generated by OpenCVE AI on April 21, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10843 The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email.
History

Tue, 08 Jul 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Wpeverest
Wpeverest user Registration \& Membership
CPEs cpe:2.3:a:wpeverest:user_registration_\&_membership:*:*:*:*:free:wordpress:*:*
Vendors & Products Wpeverest
Wpeverest user Registration \& Membership

Mon, 14 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 12 Apr 2025 07:00:00 +0000

Type Values Removed Values Added
Description The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email.
Title User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Password Update
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wpeverest User Registration \& Membership
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:53.830Z

Reserved: 2025-04-04T16:58:34.203Z

Link: CVE-2025-3292

cve-icon Vulnrichment

Updated: 2025-04-14T16:26:09.732Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-12T07:15:27.143

Modified: 2025-07-08T18:31:04.310

Link: CVE-2025-3292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses