CVE-2025-2563: 
WordPress vulnerability analysis and mitigation

The User Registration & Membership WordPress plugin before version 4.1.2 contains a critical security vulnerability (CVE-2025-2563) that affects its membership functionality. The vulnerability was discovered in March 2025 and affects over 60,000 active installations. This security flaw allows unauthenticated users to set their account role when the Membership Addon is enabled, potentially leading to unauthorized administrative access (WPScan, Security Online).

The vulnerability resides in the plugin's 'preparemembersdata()' function, which fails to implement proper restrictions on role type assignment. The flaw has received a CVSS v3.1 score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue affects both the free version (up to 4.1.1) and pro version (up to 5.1.1) of the plugin (Security Online, NVD).

The vulnerability enables unauthenticated attackers to create new user accounts with administrator privileges, potentially gaining full control over affected WordPress websites. With over 60,000 active installations, this poses a significant risk to numerous membership-based WordPress sites (Security Online).

The plugin developers have released version 4.1.2 for the free version and 5.1.2 for the pro version to address this vulnerability. Users are strongly advised to update their installations immediately to these latest versions to prevent potential exploitation (Security Online).