CVE-2025-3609

Name of the Vulnerable Software and Affected Versions Reales WP STPT plugin for WordPress versions up to and including 2.1.2

Description The issue allows unauthorized user registration due to the 'reales user signup form' AJAX action not checking if user registration is enabled before registering a user. This enables unauthenticated attackers to create new user accounts, potentially leading to privilege escalation.

Recommendations For versions up to and including 2.1.2, update to a version higher than 2.1.2 to resolve the issue. As a temporary workaround, consider disabling the reales user signup form AJAX action until a patch is available. Restrict access to user registration to minimize the risk of exploitation.