CVE-2025-2594

Name of the Vulnerable Software and Affected Versions User Registration & Membership WordPress plugin version 4.1.2 and earlier

Description The issue concerns the User Registration & Membership WordPress plugin, where data in an AJAX action is not properly validated when the Membership Addon is enabled. This allows attackers to authenticate as any user, including administrators, by simply using the target account's user id.

Recommendations For versions prior to 4.1.3, update to version 4.1.3 or later to resolve the issue. As a temporary workaround, consider disabling the Membership Addon until the update is applied. Restrict access to the AJAX action to minimize the risk of exploitation. Avoid using the user id in the affected AJAX action until the issue is resolved.