CVE-2025-3282: 
WordPress vulnerability analysis and mitigation

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CVE-2025-3282) in all versions up to and including 4.1.3. The vulnerability exists in the userregistrationmembershipregistermember() function due to missing validation on the 'membership_id' user controlled key (NVD).

The vulnerability is classified as an Authorization Bypass Through User-Controlled Key (CWE-639). It has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The technical issue stems from improper validation of the 'membershipid' parameter in the userregistrationmembershipregister_member() function (NVD, WordPress Plugin).

The vulnerability allows unauthenticated attackers to update any user's membership to any other active or non-active membership type. This could lead to unauthorized access to premium features or services within WordPress sites using the affected plugin (NVD).

The vulnerability has been patched in version 4.1.4 of the plugin. Users are advised to update to this version or later to protect against this security issue (WordPress Plugin).