CVE-2026-6145 in User Registration & Membership Plugin
Summary
by MITRE • 05/14/2026
The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The User Registration & Membership plugin for WordPress presents a critical security vulnerability classified as missing authorization, affecting all versions up to and including 5.1.5. This flaw resides within the plugin's administrative user creation process, specifically in the is_admin_creation_process() method that handles user registration workflows. The vulnerability stems from inadequate authentication checks that permit unauthorized access to administrative user creation functions through the fallback submission path. Attackers can exploit this weakness by simply including action=createuser in the $_REQUEST superglobal parameter, bypassing all normal authentication requirements and administrative approval processes that should normally govern new user account creation.
The technical implementation of this vulnerability demonstrates a fundamental flaw in access control validation where the plugin fails to verify user credentials or administrative privileges before executing user creation operations. The is_admin_creation_process() method operates under the assumption that any request containing the action=createuser parameter constitutes a legitimate administrative request, without performing essential capability checks or authentication verification. This primitive approach to access control violates core security principles and creates an unauthorized access vector that allows attackers to circumvent the intended user registration workflow. The vulnerability specifically targets the fallback submission path, which represents an alternative user registration mechanism that should normally require administrative approval but instead remains accessible to unauthenticated users.
The operational impact of this vulnerability is significant as it enables unauthorized individuals to create new user accounts within the WordPress environment without proper authorization. This unauthorized account creation capability can lead to various security consequences including potential privilege escalation, unauthorized access to administrative functions, and the establishment of persistent access points within the system. Attackers can exploit this vulnerability to create accounts with various permission levels, potentially gaining access to restricted areas of the website or even administrative privileges if the plugin configuration allows for such escalation. The vulnerability essentially undermines the plugin's intended security model by removing the mandatory administrative approval requirement for user registration, creating an opening for malicious actors to compromise the system.
This vulnerability aligns with CWE-862, which identifies "Missing Authorization" as a weakness where the application does not properly verify that an actor is authorized to perform a requested operation. The flaw also corresponds to ATT&CK technique T1078.004, which covers "Valid Accounts: Cloud Accounts" and represents the exploitation of legitimate account creation mechanisms to establish unauthorized access. Organizations using this plugin version should immediately implement mitigations including updating to the latest plugin version that addresses this authorization flaw, implementing additional access controls through custom code or security plugins, and monitoring user registration activities for suspicious patterns. The recommended approach involves enforcing proper authentication checks before allowing any administrative user creation operations, implementing rate limiting on registration requests, and ensuring that all user account creation processes require appropriate authorization verification to prevent unauthorized account provisioning.