CVE-2025-9892 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress plugin 'Restrict User Registration' developed by devrix. This vulnerability exists in all versions up to and including 1.0.1 due to missing or incorrect nonce validation in the plugin's update() function. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from legitimate users. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, if executed by an authenticated site administrator (e.g., by clicking a link), can update the plugin's settings without proper authorization. The vulnerability does not require the attacker to be authenticated themselves, but it does rely on social engineering to trick an administrator into performing the action. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, no user interaction from the attacker side, and impacts integrity by allowing unauthorized modification of plugin settings. Confidentiality and availability are not impacted. No known exploits in the wild have been reported so far. The vulnerability is classified under CWE-352, which covers CSRF issues where state-changing requests can be forged. Since the plugin controls user registration restrictions, unauthorized changes could potentially weaken site security policies, allowing unwanted registrations or bypassing restrictions, which could lead to further exploitation or abuse of the site.

For European organizations using WordPress sites with the devrix Restrict User Registration plugin, this vulnerability poses a moderate risk. Unauthorized modification of plugin settings could lead to a relaxation of user registration controls, potentially allowing malicious actors to create unauthorized accounts or bypass registration restrictions. This could facilitate spam registrations, unauthorized access attempts, or serve as a foothold for further attacks such as privilege escalation or data exfiltration. Organizations in sectors with strict data protection regulations (e.g., GDPR) could face compliance risks if unauthorized users gain access or if the integrity of user management is compromised. The impact is particularly relevant for websites that rely on controlled user registration for community portals, intranets, or customer-facing services. While the vulnerability does not directly expose confidential data or cause denial of service, the integrity compromise can indirectly lead to more severe security incidents if exploited as part of a broader attack chain.

To mitigate this vulnerability, European organizations should immediately update the devrix Restrict User Registration plugin to a patched version once available. In the absence of an official patch, administrators can implement manual nonce validation in the update() function to ensure that all state-changing requests include valid security tokens. Additionally, organizations should educate site administrators about the risks of clicking on unsolicited links, especially those that could trigger administrative actions. Implementing Content Security Policy (CSP) headers and SameSite cookie attributes can help reduce CSRF risks. Monitoring and logging changes to plugin settings can provide early detection of unauthorized modifications. Restricting administrative access to trusted networks or VPNs and enforcing multi-factor authentication (MFA) for admin accounts can further reduce the risk of exploitation. Regular security audits of WordPress plugins and configurations are recommended to identify and remediate similar vulnerabilities proactively.