WordPress Plugin Vulnerabilities

User Registration & Membership – Custom Registration Form, Login Form, and User Profile < 4.2.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion

Description

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin.

Affects Plugins

Plugin icon
user-registration
Fixed in 4.2.2

References

CVE
CVE-2025-3281
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/30339ff6-b6bf-4c56-b6cd-db0b8a6ce8b6

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
f66223ec-8faa-483f-a829-0ff3d0b9d08e

Timeline

Publicly Published
2025-05-05 (about 1 year ago)
Added
2025-05-05 (about 1 year ago)
Last Updated
2025-05-06 (about 1 year ago)

Other

Published
Title
Published
2026-04-14
Title
Avada (Fusion) Builder < 3.15.2 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference
Published
2024-09-04
Title
Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution
Published
2025-02-06
Title
Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time <= 1.0.0 - Authenticated (Contributor+) Post Disclosure
Published
2025-01-31
Title
WP Job Portal < 2.2.7 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Company Deletion
Published
2026-02-17
Title
PawFriends - Pet Shop and Veterinary WordPress <= 1.3 - Authenticated (Subscriber+) Insecure Direct Object Reference