Share
## https://sploitus.com/exploit?id=B6E234EC-895A-57D2-ADFF-218AF38CEA70
# CVE-2025-2563 โ User Registration & Membership | Full-Chain Admin Escalation
โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโโ โโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโโ
โโโ โโโโโโโโโโโโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโโโโโโโ
โโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโ โโโโโโโ
> **CVE-2025-2563** โ Unauthenticated Privilege Escalation via User Registration & Membership plugin for WordPress.
> Full-chain exploit: anonymous registration โ membership nonce abuse โ administrator role takeover.
---
## Vulnerability Summary
| Field | Detail |
|---|---|
| **CVE** | CVE-2025-2563 |
| **Plugin** | User Registration & Membership |
| **Affected Version** | โค 4.1.1 |
| **Type** | Unauthenticated Privilege Escalation |
| **CVSS** | Critical |
| **Vector** | Network / No Auth Required |
| **WordPress** | Any version running the plugin |
---
## Attack Chain
```
[1] Crawl target
โ
[2] Fetch /membership-pricing/ & /membership-registration/
โ
[3] Extract form_id, membership_id, security nonce, ur_frontend_form_nonce
โ
[4] POST to /wp-admin/admin-ajax.php
action=user_registration_user_form_submit
โ Create arbitrary user account (unauthenticated)
โ
[5] Abuse membership JS nonce via ur_membership_frontend_localized_data
โ Assign administrator-level membership plan to new account
โ
[6] Verify admin access at /wp-admin/users.php & /wp-admin/plugin-install.php
โ
[7] Save credentials โ NATA_admin.txt
```
---
## Features
- **Mass exploitation** โ multi-threaded, processes hundreds of targets in parallel
- **Smart nonce extraction** โ scrapes security tokens from 3+ registration endpoints automatically
- **Full combo bruteforce** โ tries all discovered `form_id ร membership_id ร nonce` combinations
- **Admin verification** โ confirms actual `wp-admin` access before marking as success
- **Clean output** โ Rich terminal UI with live status per target
- **Auto logging** โ credentials saved to `NATA_admin.txt`, registrations to `reg.txt`
---
## Requirements
```bash
pip install requests rich
```
---
## Usage
```bash
# 1. Add targets to list.txt (one URL per line)
# 2. Run
python CVE-2025-2563.py
```
**Input:** `list.txt`
```
https://target1.com
https://target2.com
https://target3.com
```
**Output:** `NATA_admin.txt`
```
[2025-04-20 08:00:00] https://target.com/wp-login.php user:natxploit_abc pass:NATA_adminSA
```
---
## Output Files
| File | Contents |
|---|---|
| `NATA_admin.txt` | Confirmed admin credentials |
| `reg.txt` | All successful registrations |
---
## Detection (Defender Notes)
Monitor for:
- Repeated POST to `/wp-admin/admin-ajax.php` with `action=user_registration_user_form_submit`
- Sudden new users with administrator role from untrusted registration
- Requests to `/membership-registration/` followed immediately by AJAX membership assignment
**Patch:** Update **User Registration & Membership** plugin to version **>= 4.1.2**
---
## Disclaimer
> This tool is released for **authorized penetration testing and security research only**.
> The author holds no responsibility for misuse. Always obtain explicit written permission before testing.
---
## Author
**Natan Utama** โ [github.com/dokter69](https://github.com/dokter69) | Telegram: [@ayasyanaro](https://t.me/ayasyanaro)