CVE-2025-3609: CWE-863 Incorrect Authorization in pixel_prime Reales WP STPT
The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation.
AI Analysis
Technical Summary
CVE-2025-3609 is an authorization vulnerability in the Reales WP STPT WordPress plugin (versions up to 2.1.2) where the AJAX action 'reales_user_signup_form' fails to check if user registration is enabled before processing registrations. This flaw permits unauthenticated attackers to create new user accounts arbitrarily. The vulnerability is categorized as CWE-863 (Incorrect Authorization). The CVSS 3.1 score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact. No official patch or vendor advisory is provided in the data, and no known exploits are reported in the wild.
Potential Impact
An attacker can register new user accounts on vulnerable WordPress sites without authorization. This unauthorized account creation could be leveraged in combination with other vulnerabilities (e.g., privilege escalation flaws) to gain higher privileges. The integrity of the affected system could be impacted due to unauthorized user additions, but confidentiality and availability are not directly affected by this vulnerability alone.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling user registration if not required or implementing additional access controls on the AJAX action. Monitoring for unauthorized user registrations is advisable. No official patch or temporary fix is currently documented in the provided data.
CVE-2025-3609: CWE-863 Incorrect Authorization in pixel_prime Reales WP STPT
Description
The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-3609 is an authorization vulnerability in the Reales WP STPT WordPress plugin (versions up to 2.1.2) where the AJAX action 'reales_user_signup_form' fails to check if user registration is enabled before processing registrations. This flaw permits unauthenticated attackers to create new user accounts arbitrarily. The vulnerability is categorized as CWE-863 (Incorrect Authorization). The CVSS 3.1 score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact. No official patch or vendor advisory is provided in the data, and no known exploits are reported in the wild.
Potential Impact
An attacker can register new user accounts on vulnerable WordPress sites without authorization. This unauthorized account creation could be leveraged in combination with other vulnerabilities (e.g., privilege escalation flaws) to gain higher privileges. The integrity of the affected system could be impacted due to unauthorized user additions, but confidentiality and availability are not directly affected by this vulnerability alone.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling user registration if not required or implementing additional access controls on the AJAX action. Monitoring for unauthorized user registrations is advisable. No official patch or temporary fix is currently documented in the provided data.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-14T20:16:57.211Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981cc4522896dcbdac7c
Added to database: 5/21/2025, 9:08:44 AM
Last enriched: 4/9/2026, 10:14:55 AM
Last updated: 5/8/2026, 9:36:53 PM
Views: 79
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.