Share
## https://sploitus.com/exploit?id=B6E234EC-895A-57D2-ADFF-218AF38CEA70
# CVE-2025-2563 โ€” User Registration & Membership | Full-Chain Admin Escalation



  โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—       โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— 
  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ• 
  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ–ˆโ•—
  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘
  โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
   โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•     โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• 



> **CVE-2025-2563** โ€” Unauthenticated Privilege Escalation via User Registration & Membership plugin for WordPress.
> Full-chain exploit: anonymous registration โ†’ membership nonce abuse โ†’ administrator role takeover.

---

## Vulnerability Summary

| Field | Detail |
|---|---|
| **CVE** | CVE-2025-2563 |
| **Plugin** | User Registration & Membership |
| **Affected Version** | โ‰ค 4.1.1 |
| **Type** | Unauthenticated Privilege Escalation |
| **CVSS** | Critical |
| **Vector** | Network / No Auth Required |
| **WordPress** | Any version running the plugin |

---

## Attack Chain

```
[1] Crawl target
       โ†“
[2] Fetch /membership-pricing/ & /membership-registration/
       โ†“
[3] Extract form_id, membership_id, security nonce, ur_frontend_form_nonce
       โ†“
[4] POST to /wp-admin/admin-ajax.php
    action=user_registration_user_form_submit
    โ†’ Create arbitrary user account (unauthenticated)
       โ†“
[5] Abuse membership JS nonce via ur_membership_frontend_localized_data
    โ†’ Assign administrator-level membership plan to new account
       โ†“
[6] Verify admin access at /wp-admin/users.php & /wp-admin/plugin-install.php
       โ†“
[7] Save credentials โ†’ NATA_admin.txt
```

---

## Features

- **Mass exploitation** โ€” multi-threaded, processes hundreds of targets in parallel
- **Smart nonce extraction** โ€” scrapes security tokens from 3+ registration endpoints automatically
- **Full combo bruteforce** โ€” tries all discovered `form_id ร— membership_id ร— nonce` combinations
- **Admin verification** โ€” confirms actual `wp-admin` access before marking as success
- **Clean output** โ€” Rich terminal UI with live status per target
- **Auto logging** โ€” credentials saved to `NATA_admin.txt`, registrations to `reg.txt`

---

## Requirements

```bash
pip install requests rich
```

---

## Usage

```bash
# 1. Add targets to list.txt (one URL per line)
# 2. Run
python CVE-2025-2563.py
```

**Input:** `list.txt`
```
https://target1.com
https://target2.com
https://target3.com
```

**Output:** `NATA_admin.txt`
```
[2025-04-20 08:00:00] https://target.com/wp-login.php user:natxploit_abc pass:NATA_adminSA
```

---

## Output Files

| File | Contents |
|---|---|
| `NATA_admin.txt` | Confirmed admin credentials |
| `reg.txt` | All successful registrations |

---

## Detection (Defender Notes)

Monitor for:
- Repeated POST to `/wp-admin/admin-ajax.php` with `action=user_registration_user_form_submit`
- Sudden new users with administrator role from untrusted registration
- Requests to `/membership-registration/` followed immediately by AJAX membership assignment

**Patch:** Update **User Registration & Membership** plugin to version **>= 4.1.2**

---

## Disclaimer

> This tool is released for **authorized penetration testing and security research only**.
> The author holds no responsibility for misuse. Always obtain explicit written permission before testing.

---

## Author

**Natan Utama** โ€” [github.com/dokter69](https://github.com/dokter69) | Telegram: [@ayasyanaro](https://t.me/ayasyanaro)