CVE-2025-34077 CRITICAL

CVE-2025-34077: WordPress Pie Register Plugin ≤ 3.7.1.4 Authentication Bypass RCE

Vendor Genetech Solutions
Product WordPress Pie Register Plugin
Weakness CWE-434 · Unrestricted file upload
Published July 9, 2025
Last update May 15, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.

Explanation of Vulnerability in Simple Terms

02Summary

The Pie Register plugin for WordPress contains an unrestricted file upload vulnerability affecting versions 3.7.1.4 and earlier. An attacker can upload arbitrary files to the site without authentication, potentially allowing them to run malicious code or compromise the entire WordPress installation. This is a critical vulnerability requiring immediate patching.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files to the site and run malicious code on your WordPress server.

Potential impact on your site

04Site Impact

Complete compromise of your WordPress site; attacker can steal data, modify content, or take full control.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 9, 2025 CVE published
May 15, 2026 Record updated