CVE-2026-25425

Vulnerability

The WordPress User Registration plugin versions 5.1.2 and below contain a broken access control vulnerability [1]. The issue arises from missing authorization, authentication, or nonce token checks in one or more functions, enabling unauthenticated users to execute actions that should require higher privileges [1]. No special configuration is required for this code path to be reachable; the vulnerability affects all instances running the affected versions [1].

Exploitation

An attacker can exploit this vulnerability without any authentication or prior access to the WordPress site [1]. By crafting requests that bypass the missing access controls, the attacker can trigger privileged operations without needing any user interaction or race window timing [1]. The vulnerability is reported to be used in mass-exploit campaigns, attacking thousands of websites indiscriminately [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform higher-privileged actions, effectively leading to privilege escalation [1]. Depending on the specific missing access controls, this could result in unauthorized data manipulation, account creation with elevated roles, or other administrative actions [1]. The CVSS score of 7.5 (High) indicates significant potential for compromise [1].

Mitigation

The vulnerability is fixed in version 5.1.3 of the plugin, released on an unspecified date [1]. Users are strongly advised to update to version 5.1.3 or later immediately [1]. For those unable to update, contacting the hosting provider or a web developer for assistance is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins [1]. No workaround beyond updating has been published as of the advisory date [1].