Refine your search
1 vulnerability found for UrbanGo Membership by Edge-Themes
CVE-2025-3278 (GCVE-0-2025-3278)
Vulnerability from cvelistv5
Published
2025-04-19 02:22
Modified
2026-04-08 17:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Edge-Themes | UrbanGo Membership |
Version: 0 ≤ 1.0.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T02:46:58.086151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T02:47:09.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UrbanGo Membership",
"vendor": "Edge-Themes",
"versions": [
{
"lessThanOrEqual": "1.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alyudin Nafiie"
}
],
"descriptions": [
{
"lang": "en",
"value": "The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying \u0027user_register_role\u0027 field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:56.168Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/913ffe0c-c8f8-4cda-be9a-96c056d4c4a8?source=cve"
},
{
"url": "https://themeforest.net/item/urbango-directory-and-listing-wordpress-theme/22712624"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "UrbanGo Membership \u003c= 1.0.4 - Unauthenticated Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3278",
"datePublished": "2025-04-19T02:22:33.746Z",
"dateReserved": "2025-04-04T14:25:07.846Z",
"dateUpdated": "2026-04-08T17:06:56.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}