← back to popular plugins
wordfence / plugin · user-registration

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration
total installs
60,000
total vulns
24
critical
3
high
2
medium
19
low
0
latest vuln
patched
24
unpatched
0
avg time to patch
vulnerabilities (24)
User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter
medium ✓ patched
cve id CVE-2026-6145 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published May 13, 2026
The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.
User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification
medium ✓ patched
cve id CVE-2026-3601 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published May 4, 2026
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to append shortcode content to arbitrary pages they do not own or have permission to edit.
User Registration & Membership <= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter
medium ✓ patched
cve id CVE-2026-6203 ↗
cvss score 6.1
cwe CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
published Apr 13, 2026
The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.
User Registration <= 5.1.5 - Reflected Cross-Site Scripting
medium ✓ patched
cve id CVE-2026-42652 ↗
cvss score 6.1
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 9, 2026
The User Registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
User Registration & Membership <= 5.1.2 - Authenticated (Subscriber+) SQL Injection via membership_ids[]
medium ✓ patched
cve id CVE-2026-1865 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Apr 7, 2026
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injection via the ‘membership_ids[]’ parameter in all versions up to, and including, 5.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Content Access Rule Manipulation
medium ✓ patched
cve id CVE-2026-4056 ↗
cvss score 5.4
cwe CWE-862: Missing Authorization
published Mar 23, 2026
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access.
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 4.4.9 - Unauthenticated Remote Code Execution
critical ✓ patched
cve id CVE-2026-32488 ↗
cvss score 9.8
cwe CWE-266: Incorrect Privilege Assignment
published Mar 23, 2026
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.4.9. This makes it possible for unauthenticated attackers to execute code on the server.
User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration
critical ✓ patched
cve id CVE-2026-1492 ↗
cvss score 9.8
cwe CWE-269: Improper Privilege Management
published Mar 2, 2026
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion
medium ✓ patched
cve id CVE-2026-2356 ↗
cvss score 5.3
cwe CWE-284: Improper Access Control
published Feb 25, 2026
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set.
User Registration & Membership <= 5.1.2 - Authentication Bypass
high ✓ patched
cve id CVE-2026-1779 ↗
cvss score 8.1
cwe CWE-288: Authentication Bypass Using an Alternate Path or Channel
published Feb 25, 2026
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.
User Registration <= 4.4.6 - Missing Authorization
medium ✓ patched
cve id CVE-2025-67956 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Jan 21, 2026
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.4.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.
User Registration & Membership <= 4.4.8 - Cross-Site Request Forgery to Arbitrary Post Deletion
medium ✓ patched
cve id CVE-2025-14976 ↗
cvss score 5.4
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published Jan 9, 2026
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
User Registration <= 4.4.9 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
medium ✓ patched
cve id CVE-2026-24353 ↗
cvss score 5.4
cwe CWE-94: Improper Control of Generation of Code ('Code Injection')
published Jan 8, 2026
The The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.4.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
medium ✓ patched
cve id CVE-2025-13367 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Dec 15, 2025
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
User Registration & Membership <= 4.3.0 - Authenticated (Admin+) SQL Injection
medium ✓ patched
cve id CVE-2025-9085 ↗
cvss score 4.9
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Sep 5, 2025
The User Registration & Membership plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in version 4.3.0. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
User Registration <= 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via urcr_restrict Shortcode
medium ✓ patched
cve id CVE-2025-6831 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jul 21, 2025
The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's urcr_restrict shortcode in all versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.2.1 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion
medium ✓ patched
cve id CVE-2025-3281 ↗
cvss score 5.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published May 5, 2025
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin.
User Registration <= 4.1.5 - Reflected Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-39400 ↗
cvss score 6.1
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 22, 2025
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Password Update
medium ✓ patched
cve id CVE-2025-3292 ↗
cvss score 4.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Apr 11, 2025
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email.
User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Unauthenticated Membership Modification
medium ✓ patched
cve id CVE-2025-3282 ↗
cvss score 5.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Apr 11, 2025
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type.
User Registration & Membership <= 4.1.2 - Authentication Bypass
high ✓ patched
cve id CVE-2025-2594 ↗
cvss score 8.1
cwe CWE-288: Authentication Bypass Using an Alternate Path or Channel
published Apr 1, 2025
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.1.2. This is due to incorrect authentication in the 'confirm_payment()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator.
User Registration <= 4.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-30899 ↗
cvss score 4.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Mar 27, 2025
The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.
User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation
critical ✓ patched
cve id CVE-2025-2563 ↗
cvss score 9.8
cwe CWE-269: Improper Privilege Management
published Mar 24, 2025
The User Registration & Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 4.1.1. This is due to insufficient restrictions on role type in the 'prepare_members_data()' function. This makes it possible for unauthenticated attackers to create new user accounts with the 'administrator'' role.
User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.0.4 - Reflected Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-1511 ↗
cvss score 6.1
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Feb 27, 2025
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.