平台
wordpress
组件
urbango-membership
修复版本
1.0.5
CVE-2025-3278 is a critical privilege escalation vulnerability discovered in the UrbanGo Membership plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to administrator level by manipulating the user registration process. The vulnerability impacts versions 1.0.0 through 1.0.4 of the plugin, and a patch is currently available.
The impact of this vulnerability is severe. An attacker can exploit it to gain complete control over a WordPress site by creating a new user account and assigning themselves the administrator role. This grants them full access to all site data, including sensitive information like user credentials, financial data, and proprietary content. They can modify website content, install malicious plugins, and even delete the entire site. The ease of exploitation, requiring only a crafted user registration request, significantly increases the risk of widespread compromise.
This vulnerability was publicly disclosed on 2025-04-19. While no public exploits have been confirmed, the ease of exploitation and the critical CVSS score suggest a high probability of exploitation. It is recommended to prioritize patching this vulnerability. The vulnerability's nature aligns with common WordPress plugin security flaws, potentially making it a target for automated exploitation tools.
WordPress websites utilizing the UrbanGo Membership plugin, particularly those with open user registration enabled, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk due to the potential for cross-site contamination.
• wordpress / composer / npm:
grep -r 'user_register_role' /var/www/html/wp-content/plugins/urban-go-membership/• wordpress / composer / npm:
wp plugin list --status=active | grep urban-go-membership• wordpress / composer / npm:
wp plugin update urban-go-membershipdisclosure
漏洞利用状态
EPSS
0.58% (69% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the UrbanGo Membership plugin to a patched version. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration or implementing stricter role assignment controls. WordPress administrators should also review user accounts for any suspicious administrator accounts created around the time of the vulnerability's public disclosure. Implement a Web Application Firewall (WAF) rule to block requests containing the 'userregisterrole' parameter. Regularly audit user roles and permissions to identify and remove any unauthorized administrator accounts.
将 UrbanGo Membership 插件更新到已修复的版本。该漏洞允许未经身份验证的攻击者通过创建具有提升角色的帐户来获得管理员权限。请在 WordPress 仓库或开发人员网站上检查是否有可用的更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-3278 is a critical vulnerability allowing unauthenticated attackers to gain administrator privileges in UrbanGo Membership WordPress plugins versions 1.0.0–1.0.4 through manipulation of user registration roles.
If you are using UrbanGo Membership plugin versions 1.0.0 through 1.0.4 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the UrbanGo Membership plugin to the latest patched version as soon as possible. If upgrading is not immediately possible, consider temporary mitigation steps like disabling user registration.
While no confirmed active exploitation has been reported, the ease of exploitation and high CVSS score suggest a high probability of exploitation. Proactive patching is strongly recommended.
Refer to the UrbanGo Membership plugin's official website or WordPress plugin repository for the latest security advisory and patch information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。