User Registration & Membership
Moderate fix1 remedy
cpe:2.3:a:wpeverest:user_registration_&_membership:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.1.4
User Registration and Membership Plugin Missing Authorization Vulnerability on WordPress
Vulnerability
Patched
A vulnerability exists in the User Registration & Membership plugin for WordPress, specifically in versions through 5.1.4. The issue arises from a lack of proper capability checks in the 'embed_form_action()' function, allowing authenticated attackers with Contributor-level access or higher to unauthorizedly modify page content. This can be exploited by appending shortcode to pages that the attacker does not own or cannot edit.
Impact
Exploitation of this vulnerability allows for unauthorized modification of page content, specifically through the addition of shortcodes that can be executed on the page.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access can use the 'embed_form_action()' function without the necessary capability checks. This can be done by sending a request that includes the 'page_id' and 'form_id' parameters, targeting a page that the user does not own or have permission to edit.
Remediation
Users are advised to update the User Registration & Membership plugin to version 5.1.5 or later.
Added: May 5, 2026, 9:18 AM
Updated: May 5, 2026, 9:18 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
6.4remediation
7.7relevance
7.5threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.