CVE-2025-3292

Name of the Vulnerable Software and Affected Versions: User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress versions up to, and including, 4.1.3

Description: The issue allows unauthenticated attackers to update other users' passwords if they have access to the user id and email, due to missing validation on the user id user-controlled key in the user registration update profile details() function. This is an Insecure Direct Object Reference issue.

Recommendations: For versions up to, and including, 4.1.3, consider disabling the user registration update profile details() function until a patch is available to prevent exploitation. Restrict access to the user id parameter to minimize the risk of unauthorized password updates.