CVE-2025-3609 is a medium-severity vulnerability affecting the Reales WP STPT plugin for WordPress, developed by pixel_prime. This vulnerability arises from an incorrect authorization check (CWE-863) in the 'reales_user_signup_form' AJAX action. Specifically, the plugin fails to verify whether user registration is enabled before processing new user registrations. As a result, unauthenticated attackers can exploit this flaw to create new user accounts on affected WordPress sites running any version of the plugin up to and including 2.1.2. Although the vulnerability itself does not directly grant elevated privileges, it can be leveraged in conjunction with other vulnerabilities (e.g., privilege escalation flaws referenced as CVE-XX) to gain higher access levels. The CVSS v3.1 base score is 5.3, reflecting a network exploitable vulnerability that requires no privileges or user interaction but impacts integrity by allowing unauthorized account creation. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed on May 6, 2025, and is recognized by security authorities including CISA and Wordfence. The core technical issue is the absence of a check to confirm if user registration is enabled before allowing the AJAX action to create accounts, violating proper authorization controls and enabling unauthorized access to site resources through new accounts.

For European organizations using WordPress websites with the Reales WP STPT plugin, this vulnerability poses a significant risk to website integrity and security posture. Unauthorized account creation can lead to attackers establishing footholds within the web application environment. Once attacker-controlled accounts exist, they may attempt privilege escalation attacks, potentially compromising sensitive data, modifying website content, or deploying malicious payloads such as web shells or phishing pages. This can damage organizational reputation, lead to data breaches, and disrupt business operations. The impact is particularly critical for organizations relying on WordPress for customer-facing portals, e-commerce, or internal collaboration, where unauthorized user accounts can bypass intended access controls. Additionally, the vulnerability's network-exploitable nature means attackers can exploit it remotely without authentication or user interaction, increasing the attack surface. Although no active exploits are reported, the presence of this vulnerability in widely used WordPress plugins necessitates urgent attention to prevent potential exploitation, especially given the popularity of WordPress in Europe.

To mitigate CVE-2025-3609, European organizations should: 1) Immediately audit all WordPress installations to identify the presence of the Reales WP STPT plugin and determine the version in use. 2) Disable or restrict the plugin if it is not essential to reduce exposure. 3) Monitor official pixel_prime and WordPress plugin repositories for patches or updates addressing this vulnerability and apply them promptly once available. 4) Implement web application firewall (WAF) rules to detect and block unauthorized AJAX requests targeting 'reales_user_signup_form' actions, especially those attempting user registrations when registration is disabled. 5) Enforce strict user registration policies at the WordPress core level, ensuring registration is disabled if not required. 6) Conduct regular reviews of user accounts to detect and remove any unauthorized or suspicious accounts created without proper authorization. 7) Employ multi-factor authentication (MFA) and least privilege principles for all user accounts to limit the impact of any unauthorized account creation. 8) Monitor logs for unusual registration activity or spikes in new user creation attempts. These steps go beyond generic advice by focusing on plugin-specific controls, proactive detection, and layered defenses tailored to this vulnerability's exploitation vector.