Home

Description

The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.

PUBLISHED Reserved 2026-04-12 | Published 2026-05-14 | Updated 2026-05-14 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-03-09:Discovered
2026-04-12:Vendor Notified
2026-05-13:Disclosed

Credits

Anthony Cihan finder

References

www.wordfence.com/...-24c9-4921-bb5f-a7726ebc5c2a?source=cve

plugins.trac.wordpress.org/...des/class-ur-user-approval.php

cve.org (CVE-2026-6145)

nvd.nist.gov (CVE-2026-6145)

Download JSON