VYPR
Medium severity4.3NVD Advisory· Published May 5, 2026· Updated May 5, 2026

CVE-2026-3601

CVE-2026-3601

Description

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embed_form_action() function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to append shortcode content to arbitrary pages they do not own or have permission to edit.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

2