Plattform
wordpress
Komponente
user-registration
Behoben in
4.4.9
CVE-2025-14976 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership plugin for WordPress. This flaw allows unauthenticated attackers to delete posts by exploiting a lack of proper nonce validation. The vulnerability impacts versions from 0.0.0 through 4.4.8, and a patch is available in version 4.4.9.
The primary impact of this vulnerability is the potential for unauthorized deletion of WordPress posts. An attacker could craft a malicious link that, when clicked by a site administrator, would trigger the deletion of any post. This could lead to significant data loss, disruption of website content, and potential reputational damage. The attack requires the administrator to be actively logged in and to interact with the crafted link, making it a social engineering attack. While the vulnerability is not directly exploitable for remote code execution, the ability to delete content can be a significant operational disruption.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a lower probability of immediate widespread exploitation. However, the ease of crafting CSRF attacks means that exploitation is possible if an attacker can successfully target a WordPress administrator. The vulnerability was publicly disclosed on 2026-01-10.
WordPress websites utilizing the User Registration & Membership plugin, particularly those with administrative accounts that are frequently used and potentially susceptible to phishing or social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources may also be indirectly affected if one site is compromised and used to launch attacks against others.
• wordpress / composer / npm:
grep -r 'process_row_actions' /var/www/html/wp-content/plugins/user-registration-membership/• wordpress / composer / npm:
wp plugin list --status=all | grep 'user-registration-membership'• wordpress / composer / npm:
wp plugin update user-registration-membershipdisclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade the User Registration & Membership plugin to version 4.4.9 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the 'processrowactions' endpoint with the 'delete' action, ensuring proper nonce validation is enforced. Additionally, restrict administrator access to only necessary functions and implement strict link verification policies to prevent accidental clicks on malicious URLs. After upgrading, confirm the vulnerability is resolved by attempting to delete a test post via a crafted CSRF request and verifying that the action is denied.
Aktualisieren Sie auf Version 4.4.9 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14976 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the User Registration & Membership plugin for WordPress, allowing attackers to delete posts by tricking administrators.
You are affected if you are using the User Registration & Membership plugin in WordPress versions 0.0.0 through 4.4.8.
Upgrade the User Registration & Membership plugin to version 4.4.9 or later. Consider WAF rules as a temporary workaround.
While no widespread exploitation has been confirmed, the ease of CSRF attacks means exploitation is possible if administrators are targeted.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.