{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11167", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-29T16:52:35.968Z", "datePublished": "2025-10-11T08:29:17.346Z", "dateUpdated": "2025-10-14T14:11:07.569Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-11T08:29:17.346Z"}, "affected": [{"vendor": "creativemindssolutions", "product": "CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.5.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the 'redirect_url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action."}], "title": "CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations <= 2.5.6 - Open Redirect", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c10286fe-2fdf-4946-b7bb-a2b16f93abb0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3374121/cm-invitation-codes/trunk/controller/LoginController.php?old=3310298&old_path=cm-invitation-codes%2Ftags%2F2.5.5%2Fcontroller%2FLoginController.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "cweId": "CWE-601", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-09-29T17:07:43.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-10T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-14T13:30:22.117056Z", "id": "CVE-2025-11167", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T14:11:07.569Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11167", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-14T13:30:22.117056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T13:30:23.862Z"}}], "cna": {"title": "CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations <= 2.5.6 - Open Redirect", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "creativemindssolutions", "product": "CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.5.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-29T17:07:43.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-10T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c10286fe-2fdf-4946-b7bb-a2b16f93abb0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3374121/cm-invitation-codes/trunk/controller/LoginController.php?old=3310298&old_path=cm-invitation-codes%2Ftags%2F2.5.5%2Fcontroller%2FLoginController.php"}], "descriptions": [{"lang": "en", "value": "The CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the 'redirect_url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-11T08:29:17.346Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11167", "state": "PUBLISHED", "dateUpdated": "2025-10-14T14:11:07.569Z", "dateReserved": "2025-09-29T16:52:35.968Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-11T08:29:17.346Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the 'redirect_url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action."}], "id": "CVE-2025-11167", "lastModified": "2025-10-14T19:36:59.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-10-11T09:15:31.997", "references": [{"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/changeset/3374121/cm-invitation-codes/trunk/controller/LoginController.php?old=3310298&old_path=cm-invitation-codes%2Ftags%2F2.5.5%2Fcontroller%2FLoginController.php"}, {"source": "[email protected]", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c10286fe-2fdf-4946-b7bb-a2b16f93abb0?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "[email protected]", "type": "Primary"}]}

{}