CVE-2025-3278 | The UrbanGo Membership plugin for WordPress is vulnerable to… | CVSS 9.8 CRITICAL

Description

The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

Metadata

CVE ID: CVE-2025-3278
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-04-04 14:25 UTC
Published: 2025-04-19 02:22 UTC
Last updated: 2026-04-08 17:06 UTC
Primary CWE: CWE-269
CWE-269 Improper Privilege Management
Vendor / Product: Edge-Themes / UrbanGo Membership
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Edge-Themes	UrbanGo Membership	—	0 ≤ 1.0.4

Weakness (CWE)

CWE	Source	Description
CWE-269	cna	CWE-269 Improper Privilege Management

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)