Plataforma
wordpress
Componente
urbango-membership
Corrigido em
1.0.5
CVE-2025-3278 is a critical privilege escalation vulnerability discovered in the UrbanGo Membership plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to administrator level by manipulating the user registration process. The vulnerability impacts versions 1.0.0 through 1.0.4 of the plugin, and a patch is currently available.
The impact of this vulnerability is severe. An attacker can exploit it to gain complete control over a WordPress site by creating a new user account and assigning themselves the administrator role. This grants them full access to all site data, including sensitive information like user credentials, financial data, and proprietary content. They can modify website content, install malicious plugins, and even delete the entire site. The ease of exploitation, requiring only a crafted user registration request, significantly increases the risk of widespread compromise.
This vulnerability was publicly disclosed on 2025-04-19. While no public exploits have been confirmed, the ease of exploitation and the critical CVSS score suggest a high probability of exploitation. It is recommended to prioritize patching this vulnerability. The vulnerability's nature aligns with common WordPress plugin security flaws, potentially making it a target for automated exploitation tools.
WordPress websites utilizing the UrbanGo Membership plugin, particularly those with open user registration enabled, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk due to the potential for cross-site contamination.
• wordpress / composer / npm:
grep -r 'user_register_role' /var/www/html/wp-content/plugins/urban-go-membership/• wordpress / composer / npm:
wp plugin list --status=active | grep urban-go-membership• wordpress / composer / npm:
wp plugin update urban-go-membershipdisclosure
Status do Exploit
EPSS
0.58% (percentil 69%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the UrbanGo Membership plugin to a patched version. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration or implementing stricter role assignment controls. WordPress administrators should also review user accounts for any suspicious administrator accounts created around the time of the vulnerability's public disclosure. Implement a Web Application Firewall (WAF) rule to block requests containing the 'userregisterrole' parameter. Regularly audit user roles and permissions to identify and remove any unauthorized administrator accounts.
Atualize o plugin UrbanGo Membership para uma versão corrigida. A vulnerabilidade permite que atacantes não autenticados obtenham privilégios de administrador criando contas com roles elevados. Verifique as atualizações disponíveis no repositório de WordPress ou no site do desenvolvedor.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-3278 is a critical vulnerability allowing unauthenticated attackers to gain administrator privileges in UrbanGo Membership WordPress plugins versions 1.0.0–1.0.4 through manipulation of user registration roles.
If you are using UrbanGo Membership plugin versions 1.0.0 through 1.0.4 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the UrbanGo Membership plugin to the latest patched version as soon as possible. If upgrading is not immediately possible, consider temporary mitigation steps like disabling user registration.
While no confirmed active exploitation has been reported, the ease of exploitation and high CVSS score suggest a high probability of exploitation. Proactive patching is strongly recommended.
Refer to the UrbanGo Membership plugin's official website or WordPress plugin repository for the latest security advisory and patch information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.