CVE-2025-11167: 
WordPress vulnerability analysis and mitigation

The CM Registration – Tailored tool for seamless login and invitation-based registrations plugin for WordPress contains an Open Redirect vulnerability (CVE-2025-11167) discovered on October 10, 2025. The vulnerability affects all versions up to and including 2.5.6 of the plugin. This security issue stems from insufficient validation of the redirect URL parameter (NVD, Rapid7).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) and has received a CVSS v3.1 score of 4.7 (Medium) from Wordfence. The technical issue arises from insufficient validation on the redirect URL supplied via the 'redirect_url' parameter in the plugin's login functionality. The vulnerability has been assigned the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability allows unauthenticated attackers to redirect users to potentially malicious websites if they can successfully trick them into performing specific actions. This could lead to phishing attacks or other malicious redirects that could compromise user security (NVD, Rapid7).

A patch has been implemented in the WordPress plugin repository, as evidenced by the changes in the LoginController.php file. The fix involves removing the vulnerable redirect URL parameter handling (WordPress Plugin).