CVE-2025-2563: How Pre‑4.1.2 WordPress Registration Plugins Enable Privilege Escalation
CVE-2025-2563 affects WordPress installations prior to version 4.1.2 where user registration and membership plugins, when the membership add‑on is enabled, fail to block role assignment, allowing unauthenticated users to elevate themselves to administrator privileges.
CVE-2025-2563 describes a privilege‑escalation flaw in WordPress versions earlier than 4.1.2. The vulnerability resides in the core user registration functionality and in membership plugins that, when the membership add‑on component is activated, do not prevent a user from setting their own account role.
Because the role‑setting restriction is missing, an attacker who can register an account—or exploit the registration endpoint without authentication—can assign themselves the administrator role. This grants full administrative control over the WordPress site.
The issue specifically impacts installations that use the affected registration and membership plugins before the 4.1.2 release, and it is triggered only when the membership add‑on is enabled.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.