Primary

Context

User Registration and Membership WordPress Plugin Missing Authorization Vulnerability Bypassing Admin Approval

Vulnerability

Patched

A vulnerability exists in the User Registration & Membership plugin for WordPress, affecting all versions through 5.1.5. The issue stems from the is_admin_creation_process() method, which improperly relies on the action=createuser parameter in the $_REQUEST superglobal. This approach lacks necessary authentication or capability checks, allowing unauthenticated attackers to circumvent admin approval when registering new accounts via the fallback submission method.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass the admin approval process for new user registrations, potentially leading to unauthorized access or privileges.

Remediation

Users can update to version 5.1.6 or a newer patched version to address this vulnerability.

Added: May 14, 2026, 9:20 AM

Updated: May 14, 2026, 9:20 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

8.2

remediation

7.7

relevance

8.3

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

8.2

remediation

7.7

relevance

8.3

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

User Registration and Membership WordPress Plugin Missing Authorization Vulnerability Bypassing Admin Approval

Vulnerability

Impact

Remediation

Affected Products

User Registration & Membership

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating