CVE-2025-3609 is an authorization vulnerability classified under CWE-863 affecting the Reales WP STPT plugin for WordPress. The issue stems from the 'reales_user_signup_form' AJAX action failing to verify whether user registration is enabled before processing requests. This lack of proper authorization checks allows unauthenticated attackers to create new user accounts arbitrarily, bypassing any administrative controls that might disable user registration. The vulnerability affects all versions up to 2.1.2 inclusive. Although the vulnerability itself does not directly lead to privilege escalation, it can be leveraged in conjunction with other vulnerabilities (e.g., CVE-XX referenced in the description) to escalate privileges within the WordPress environment. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is limited to integrity as unauthorized accounts can be created, potentially undermining the trust model of the site. No patches or fixes are currently linked, and no known exploits are reported in the wild. The vulnerability was reserved in mid-April 2025 and published in early May 2025, with enrichment from CISA indicating recognized risk. This vulnerability highlights the importance of proper authorization checks in AJAX handlers, especially in widely used CMS plugins.

The primary impact of CVE-2025-3609 is unauthorized user account creation on WordPress sites using the vulnerable Reales WP STPT plugin. This can undermine site integrity by allowing attackers to register accounts without administrative consent, potentially enabling further malicious activities such as posting spam, phishing, or reconnaissance. When combined with other vulnerabilities, attackers may escalate privileges, gaining administrative access and full control over the site. This can lead to data breaches, defacement, malware distribution, or pivoting to internal networks. The vulnerability affects all sites using the plugin up to version 2.1.2, which may include a significant number of WordPress installations globally. Although no known exploits are currently in the wild, the ease of exploitation (no authentication or user interaction required) means attackers could quickly weaponize this flaw once public details are widely known. Organizations relying on this plugin face risks to their website integrity, user trust, and potentially broader network security if privilege escalation is achieved.

1. Immediately check if your WordPress site uses the Reales WP STPT plugin and identify the version installed. 2. Monitor the plugin vendor’s official channels for patches or updates addressing CVE-2025-3609 and apply them promptly once available. 3. If no patch is available, consider temporarily disabling the plugin or the vulnerable AJAX action to prevent unauthorized registrations. 4. Restrict access to the AJAX endpoint 'reales_user_signup_form' via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. 5. Implement monitoring and alerting for unusual user registration activity to detect exploitation attempts early. 6. Harden WordPress user registration settings by disabling user registration globally if not needed. 7. Conduct regular security audits and penetration testing focusing on plugin vulnerabilities and privilege escalation chains. 8. Educate site administrators about the risks of unauthorized account creation and ensure strong password policies and multi-factor authentication for all users. 9. Review and limit plugin usage to only trusted and actively maintained components to reduce attack surface.