Platform
wordpress
Component
urbango-membership
Fixed in
1.0.5
CVE-2025-3278 is a critical privilege escalation vulnerability discovered in the UrbanGo Membership plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to administrator level by manipulating the user registration process. The vulnerability impacts versions 1.0.0 through 1.0.4 of the plugin, and a patch is currently available.
The impact of this vulnerability is severe. An attacker can exploit it to gain complete control over a WordPress site by creating a new user account and assigning themselves the administrator role. This grants them full access to all site data, including sensitive information like user credentials, financial data, and proprietary content. They can modify website content, install malicious plugins, and even delete the entire site. The ease of exploitation, requiring only a crafted user registration request, significantly increases the risk of widespread compromise.
This vulnerability was publicly disclosed on 2025-04-19. While no public exploits have been confirmed, the ease of exploitation and the critical CVSS score suggest a high probability of exploitation. It is recommended to prioritize patching this vulnerability. The vulnerability's nature aligns with common WordPress plugin security flaws, potentially making it a target for automated exploitation tools.
Exploit Status
EPSS
0.58% (69% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the UrbanGo Membership plugin to a patched version. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration or implementing stricter role assignment controls. WordPress administrators should also review user accounts for any suspicious administrator accounts created around the time of the vulnerability's public disclosure. Implement a Web Application Firewall (WAF) rule to block requests containing the 'userregisterrole' parameter. Regularly audit user roles and permissions to identify and remove any unauthorized administrator accounts.
Update the UrbanGo Membership plugin to a patched version. The vulnerability allows unauthenticated attackers to obtain administrator privileges by creating accounts with elevated roles. Check for available updates in the WordPress repository or on the developer's website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3278 is a critical vulnerability allowing unauthenticated attackers to gain administrator privileges in UrbanGo Membership WordPress plugins versions 1.0.0–1.0.4 through manipulation of user registration roles.
If you are using UrbanGo Membership plugin versions 1.0.0 through 1.0.4 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the UrbanGo Membership plugin to the latest patched version as soon as possible. If upgrading is not immediately possible, consider temporary mitigation steps like disabling user registration.
While no confirmed active exploitation has been reported, the ease of exploitation and high CVSS score suggest a high probability of exploitation. Proactive patching is strongly recommended.
Refer to the UrbanGo Membership plugin's official website or WordPress plugin repository for the latest security advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.