CVE-2025-2594
HIGHDescription
The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when the Membership Addon is enabled, allowing attackers to authenticate as any user, including administrators, by simply using the target account's user ID.
Is your site exposed to CVE-2025-2594?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Affected Products
| Vendor | Product |
|---|---|
| wpeverest | user_registration_\&_membership |
| wpeverest | user_registration_\&_membership |
References
Frequently Asked Questions
What is CVE-2025-2594? +
How severe is CVE-2025-2594? +
What products are affected by CVE-2025-2594? +
How do I check if I'm vulnerable to CVE-2025-2594? +
Related Vulnerabilities
Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms - Frontend Listing everest-forms-frontend-listing allows Object Injection.This issue affects Everest Forms …
The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable …
The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable …
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the …
The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in …
Deserialization of Untrusted Data vulnerability in WPEverest User Registration.This issue affects User Registration: from n/a through 2.3.2.1.