CVE-2025-4334: 
WordPress vulnerability analysis and mitigation

The Simple User Registration plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-4334) discovered and disclosed on June 25, 2025. The vulnerability affects all versions up to and including 6.3. This security flaw impacts the user registration functionality of the WordPress plugin, allowing unauthenticated attackers to register with administrator privileges (NVD, Wiz).

The vulnerability stems from insufficient restrictions on user meta values that can be supplied during the registration process. The issue is tracked as CWE-269 (Improper Privilege Management) and has received a CVSS v3.1 base score of 9.8 (CRITICAL), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerable code is located in the registration handling functionality of the plugin (WordPress Plugin).

The vulnerability allows unauthenticated attackers to register on WordPress sites with administrator privileges. This level of access grants complete control over the WordPress installation, including the ability to modify site content, install/remove plugins and themes, manage users, and potentially execute arbitrary code on the server (NVD).

Site administrators running the Simple User Registration plugin should immediately update to a version newer than 6.3 when available. Until a patch is released, it is recommended to disable the plugin or implement additional security controls to restrict user registration functionality (NVD).