A critical privilege escalation vulnerability has been identified in the Tiare Membership plugin for WordPress. This flaw allows an unauthenticated attacker to create a new user account with full administrator privileges by simply manipulating a user registration request. Successful exploitation grants the attacker complete control over the affected website, leading to potential data theft, site defacement, and further system compromise.

The vulnerability exists within the tiare_membership_init_rest_api_register function, which handles user registration via the WordPress REST API. The function fails to validate or restrict the user role that can be assigned during account creation. An unauthenticated attacker can send a crafted API request to the registration endpoint and include the 'administrator' role in the request parameters. The plugin will process this request without proper authorization checks, resulting in the creation of a new user with full administrative access to the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for significant business disruption. A successful exploit leads to a complete compromise of the website's confidentiality, integrity, and availability. The potential consequences include theft of sensitive customer or business data, financial loss from disruption to e-commerce functions, and severe reputational damage from website defacement or malware distribution. A compromised website can also be used as a staging ground for launching further attacks against other systems within the organization's network.

Immediate Action:

• Immediately update the Tiare Membership plugin for WordPress to the latest patched version (greater than 1.2) as recommended by the vendor.
• After patching, conduct a thorough audit of all user accounts, particularly those with administrator privileges. Identify and remove any unauthorized accounts that may have been created.

Proactive Monitoring:

• Review web server and API logs for POST requests to user registration endpoints. Specifically, search for requests containing a role parameter with a value of administrator or other privileged roles.
• Enable and monitor WordPress security audit logs for suspicious activities, such as the creation of new administrative users from unknown IP addresses or at unusual times.
• Utilize a file integrity monitoring system to detect unauthorized changes to core WordPress files, themes, or plugins.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) rule to inspect and block registration requests that attempt to set a privileged user role.
• Temporarily disable user registration through the plugin if the functionality is not critical to business operations.
• Restrict access to the WordPress REST API endpoints, especially for user registration, allowing connections only from trusted IP addresses.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability poses a severe and immediate threat. We strongly recommend that organizations using the affected plugin apply the security update on an emergency basis. Following the update, a comprehensive security review must be performed to search for and remediate any signs of prior compromise. Although this CVE is not currently listed on the CISA KEV catalog, its critical nature makes it a prime candidate for future inclusion, and it should be treated with the highest priority.