Description
The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation.
Published: 2025-05-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized User Creation
Action: Patch
AI Analysis

Impact

The Reales WP STPT plugin allows an unauthenticated attacker to create new user accounts because the 'reales_user_signup_form' AJAX action does not verify whether user registration is enabled. This omission means an attacker can add a user account through the site’s web interface, potentially giving access to higher‑level functions. The flaw is an instance of improper authorization, classified as CWE‑863.

Affected Systems

Any WordPress site that has the Reales WP STPT plugin from pixel_prime, using version 2.1.2 or earlier.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% reflects a low likelihood of exploitation. The vulnerability is exploitable remotely via the plugin’s AJAX endpoint, requiring no prior authentication. The flaw is not listed in CISA’s KEV catalog, so there is no public evidence of active attacks yet, but it could be leveraged together with other flaws to achieve privilege escalation.

Generated by OpenCVE AI on April 20, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Reales WP STPT to a patched version that includes registration verification.
  • Disable user registration on the WordPress site or via plugin settings until the update is applied.
  • Audit the site’s user accounts for unauthorized registrations and remove any that appear to be created by the flaw.

Generated by OpenCVE AI on April 20, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13387 The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00096}

 epss

{'score': 0.001}

Tue, 06 May 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation.
Title Reales WP STPT <= 2.1.2 - Unauthorized User Registration
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:17.501Z

Reserved: 2025-04-14T20:16:57.211Z

Link: CVE-2025-3609

cve-icon Vulnrichment

Updated: 2025-05-06T02:36:24.874Z

cve-icon NVD

Status : Deferred

Published: 2025-05-06T03:15:17.620

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:00:14Z

Weaknesses