User Registration
by WordPress
Source repositories
CVEs (28)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-3601 | Med | 0.21 | 4.3 | 0.00 | May 5, 2026 | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers,… | ||
| CVE-2026-49081 | 0.00 | — | 0.00 | Jun 17, 2026 | Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions. | |||
| CVE-2026-40726 | 0.00 | — | 0.00 | Jun 17, 2026 | Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.14 versions. | |||
| CVE-2024-1290 | 0.00 | — | 0.01 | Mar 11, 2024 | The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. | |||
| CVE-2023-0824 | 0.00 | — | 0.00 | Jan 16, 2024 | The User registration & user profile WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. | |||
| CVE-2023-5228 | 0.00 | — | 0.01 | Nov 6, 2023 | The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in… | |||
| CVE-2022-3912 | 0.00 | — | 0.01 | Dec 12, 2022 | The User Registration WordPress plugin before 2.2.4.1 does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload PHP files for example. | |||
| CVE-2021-24654 | 0.00 | — | 0.01 | Oct 4, 2021 | The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to… |
- risk 0.21cvss 4.3epss 0.00
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers,…
- CVE-2026-49081Jun 17, 2026risk 0.00cvss —epss 0.00
Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.
- CVE-2026-40726Jun 17, 2026risk 0.00cvss —epss 0.00
Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.14 versions.
- CVE-2024-1290Mar 11, 2024risk 0.00cvss —epss 0.01
The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.
- CVE-2023-0824Jan 16, 2024risk 0.00cvss —epss 0.00
The User registration & user profile WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.
- CVE-2023-5228Nov 6, 2023risk 0.00cvss —epss 0.01
The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…
- CVE-2022-3912Dec 12, 2022risk 0.00cvss —epss 0.01
The User Registration WordPress plugin before 2.2.4.1 does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload PHP files for example.
- CVE-2021-24654Oct 4, 2021risk 0.00cvss —epss 0.01
The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to…
Page 2 of 2