CVE-2025-3609: 
WordPress vulnerability analysis and mitigation

The Reales WP STPT plugin for WordPress contains a vulnerability (CVE-2025-3609) affecting all versions up to and including 2.1.2, discovered and disclosed on May 5, 2025. The vulnerability allows unauthorized user registration due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled before registering a user (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. It is classified as CWE-863 (Incorrect Authorization). The vulnerability stems from a failure to properly validate whether user registration is enabled before processing registration requests (NVD).

The vulnerability enables unauthenticated attackers to create new user accounts on affected WordPress installations, even when user registration is disabled. When combined with CVE-2025-3610, this vulnerability can be leveraged to achieve remote code execution as an originally unauthenticated user (NVD, Wiz).

Site administrators should update their Reales WP STPT plugin to a version newer than 2.1.2 when available. Until a patch is released, administrators should monitor user registration activities closely and consider implementing additional security measures to prevent unauthorized account creation (Wiz).