CVE-2025-3284

Vulnerability

Analysis

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress (versions up to and including 5.1.3) is vulnerable to Cross-Site Request Forgery (CSRF). The root cause is missing or incorrect nonce validation on the user_registration_pro_delete_account() function [1]. Nonces are one-time tokens used to verify that an action was intentionally initiated by the current user session; without them, the function does not distinguish between a legitimate request and a forged one.

Attack

Vector

An unauthenticated attacker can exploit this by crafting a forged request that triggers the account deletion endpoint. The attack requires tricking a site administrator into performing an action such as clicking a malicious link or visiting a crafted page while authenticated to the WordPress admin area [1]. There are no additional authentication requirements for the attacker—only the victim admin must have an active session.

Impact

Successful exploitation allows the attacker to force delete any user account on the WordPress site, including administrator-level accounts [1]. This can lead to complete denial of service for targeted users, loss of access, and potential site disruption if critical accounts are removed.

Mitigation

The plugin's changelog indicates the vulnerability exists in all versions up to and including 5.1.3 [1]. Users should update to the latest patched version as soon as it becomes available. No workarounds are documented; the recommended action is to apply the vendor's security update immediately.