CVE-2025-3281: 
WordPress vulnerability analysis and mitigation

The User Registration & Membership plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2025-3281. The vulnerability was disclosed on May 6, 2025, affecting all versions up to and including 4.2.1. The issue exists in the createstripesubscription() function due to missing validation on the 'member_id' user controlled key (NVD, Wiz).

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The technical issue stems from insufficient validation in the createstripesubscription() function where the member_id parameter is not properly validated before being used to delete user accounts (NVD, Wiz).

The vulnerability allows unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin. This can lead to denial of service for legitimate users and potential disruption of website operations (Wiz).

The vulnerability has been patched in version 4.2.2 of the plugin. Site administrators are advised to update to this version or later immediately. The fix includes additional validation checks for the member_id parameter before performing user deletion operations (Wiz).