CVE-2026-14250 in Login Registration Plugin
Summary
by MITRE • 07/08/2026
The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter and validating it only against get_editable_roles() — which returns every defined editable site role, including 'editor' — before passing it to wp_insert_user(). This makes it possible for unauthenticated attackers, when public user registration is enabled, to create new accounts with the editor role.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The Themehunk Login Registration plugin for WordPress presents a critical privilege escalation vulnerability that undermines the security model of WordPress installations. This flaw exists in versions up to and including 1.0.2 where the handle_frontend_register() function within the unauthenticated /thlogin/v1/register REST endpoint fails to properly validate user-provided role parameters. The vulnerability stems from insufficient input sanitization that allows attackers to manipulate the role assignment during user registration processes, creating a pathway for unauthorized privilege elevation.
The technical implementation of this vulnerability occurs through the REST API endpoint which accepts user-controlled role parameters without adequate validation mechanisms. When public user registration is enabled on a WordPress site, any unauthenticated attacker can submit a registration request containing a role parameter set to 'editor' or other editable roles. The plugin's validation logic only checks against get_editable_roles() which returns all editable roles defined in the WordPress installation, including administrative roles such as editor, author, and contributor. This validation bypass allows malicious actors to specify roles that should normally require authentication or administrative privileges.
The operational impact of this vulnerability is significant for WordPress administrators who may not realize that unauthenticated users can create accounts with elevated privileges. An attacker exploiting this vulnerability can register new accounts with editor capabilities, which grants them the ability to publish and edit posts, manage comments, and access certain administrative features depending on the specific role assigned. This represents a direct violation of WordPress's security model where role assignments should be restricted to authenticated administrators who have proper authorization to grant such privileges.
The vulnerability aligns with CWE-264, which describes permissions, privileges, and access control issues in software systems. It also corresponds to ATT&CK technique T1078.004 which covers valid accounts obtained through phishing or credential reuse attacks. This weakness creates a scenario where attackers can obtain valid accounts with elevated privileges without needing to compromise actual administrative credentials, making it particularly dangerous for WordPress sites that allow public registration.
Security mitigation strategies should focus on immediate plugin updates to versions that address this validation flaw. Administrators should disable public user registration if it is not required for their site operations, as this removes the attack surface entirely. Additionally, implementing proper input validation that explicitly restricts role assignment parameters to predefined safe values would prevent attackers from specifying arbitrary roles during account creation. Network-level protections such as rate limiting on registration endpoints and monitoring for unusual registration patterns can provide additional layers of defense against exploitation attempts.
Organizations should also consider implementing the principle of least privilege by ensuring that only necessary roles are available for public registration, and that any role assignments require proper authentication and authorization processes. Regular security audits of WordPress plugins and themes should include validation of REST API endpoint security to identify similar privilege escalation vulnerabilities across the entire WordPress ecosystem. The vulnerability demonstrates the critical importance of validating all user-controlled inputs in web applications, particularly when those inputs relate to security-sensitive operations such as role assignment within content management systems.