CVE-2025-2594: 
WordPress vulnerability analysis and mitigation

The User Registration & Membership WordPress plugin before version 4.1.3 contains an authentication bypass vulnerability identified as CVE-2025-2594. The vulnerability was discovered and disclosed on April 22, 2025, affecting installations with the Membership Addon enabled (WPScan, NVD).

The vulnerability stems from improper validation of data in an AJAX action when the Membership Addon is enabled. The issue allows attackers to authenticate as any user, including administrators, by simply using the target account's user ID. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA-ADP).

The vulnerability allows unauthorized users to bypass authentication controls and gain access to any user account on the affected WordPress installation, including administrator accounts. This could lead to complete site compromise as attackers can gain administrative privileges (WPScan).

Users are advised to update to User Registration & Membership plugin version 4.1.3 or later, which contains a fix for this vulnerability. For the Pro version, users should update to version 5.1.3 or later (WPScan).