Cross-Site Request Forgery Vulnerability in User Registration Plugin for WordPress
CVE-2025-3284

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: User Registration Pro – Custom Registration Form, Login Form, And User Profile WordPress Plugin
Vendor: CVE Published:; 19 April 2025

Summary

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery due to inadequate nonce validation in the user_registration_pro_delete_account() function. This weakness allows unauthenticated attackers to issue malicious requests that can delete user accounts, including those of administrators, by tricking a site administrator into clicking a specially crafted link.

Affected Version(s)

User Registration PRO – Custom Registration Form, Login Form, and User Profile WordPress Plugin * <= 5.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wpuserregistration.com/changelog/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 19, 2025
Vulnerability Reserved
Apr 4, 2025

Credit

wesley