cleantalk
Vulnerabilities and Security Researches

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin, CVE-2025-3281

CVE, Research URL

CVE-2025-3281

Home page URL

Security reports for User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Application

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Published on
May 06, 2025
Research Description
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin.
Affected versions
max 4.2.2.
Status
vulnerable
Previous vulnerability researches
Restrict User Registration (CVE-2023-53599) , Nov 10, 2025
Restrict User Registration (CVE-2025-32655) , Apr 14, 2025
User Registration Aide (CVE-2025-53239) , Nov 10, 2025
User Registration Using Contact Form 7 (CVE-2025-32679) , Apr 11, 2025
Confirm User Registration (CVE-2025-46459) , Apr 25, 2025
New vulnerability
Pure WC Variation Swatches (CVE-2025-12820) , Jan 11, 2026
WP Scraper (CVE-2025-62088) , Jan 11, 2026
Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger Live Chat Support Chat Button – Bit As (CVE-2025-68596) , Jan 11, 2026
Free Follow-Up Emails & Marketing Automation for WooCommerce – ShopMagic (CVE-2025-69093) , Jan 11, 2026
SALESmanago (CVE-2025-68571) , Jan 11, 2026