Vulnerability Description
The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/3516468/user-registration/trunk/inc
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b6b349f2-24c9-4921-bb5
FAQ
What is CVE-2026-6145?
CVE-2026-6145 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relyin...
How severe is CVE-2026-6145?
CVE-2026-6145 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-6145?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.