CVE-2025-3281 is a medium severity vulnerability affecting the WordPress plugin 'User Registration & Membership – Custom Registration Form, Login Form, and User Profile' developed by wpeverest. This vulnerability is classified as an Authorization Bypass through User-Controlled Key, specifically an Insecure Direct Object Reference (IDOR) issue (CWE-639). The flaw exists in all versions up to and including 4.2.1 within the create_stripe_subscription() function. The root cause is the lack of proper validation on the 'member_id' parameter, which is user-controlled. Because of this missing validation, unauthenticated attackers can manipulate the 'member_id' to delete arbitrary user accounts that have registered through the plugin. The vulnerability does not require any authentication or user interaction, and the attack vector is network-based (remote). The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with impact primarily on integrity (unauthorized deletion of user accounts) but no direct impact on confidentiality or availability. There are no known exploits in the wild at this time, and no official patches have been linked yet. The vulnerability poses a risk to WordPress sites using this plugin, potentially allowing attackers to disrupt user accounts by deleting them, which could lead to denial of service for affected users and administrative overhead for site operators to restore accounts or data.

For European organizations, this vulnerability could lead to unauthorized deletion of user accounts on websites using the affected plugin, impacting user trust and service continuity. Organizations relying on this plugin for membership management, e-commerce, or subscription services could face operational disruptions, loss of customer data integrity, and reputational damage. Particularly, websites handling sensitive user data or providing critical services may experience increased risk of user account manipulation and potential downstream effects such as loss of revenue or customer dissatisfaction. Since the vulnerability allows unauthenticated attackers to delete accounts, it could be exploited at scale to disrupt services. Although no direct confidentiality or availability impact is indicated, the integrity compromise of user accounts can indirectly affect availability if users lose access or require account recovery. European organizations must consider GDPR implications if user data is affected, as unauthorized deletion could be viewed as a data integrity issue requiring notification and remediation.

1. Immediate mitigation involves disabling or removing the affected plugin until a patch is available. 2. Monitor official wpeverest channels and WordPress plugin repositories for updates or patches addressing CVE-2025-3281 and apply them promptly. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the 'member_id' parameter or the create_stripe_subscription() function endpoint. 4. Conduct regular audits of user accounts to detect unauthorized deletions and maintain backups of user data to enable recovery. 5. Restrict access to administrative and user management functions through additional authentication layers or IP whitelisting where feasible. 6. Educate site administrators on monitoring logs for unusual activity related to user account deletions. 7. Consider deploying intrusion detection systems (IDS) tuned to detect exploitation attempts targeting this vulnerability. 8. If custom development is possible, implement server-side validation and authorization checks on user-controlled parameters to prevent unauthorized actions.