CVE-2026-1779
Authentication Bypass in WordPress User Registration Plugin
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp-everest | user_registration | to 5.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
The User Registration & Membership plugin for WordPress has a vulnerability in versions up to and including 5.1.2 that allows authentication bypass. This occurs because the 'register_member' function incorrectly handles authentication, enabling unauthenticated attackers to log in as a newly registered user who has the 'urm_user_just_created' user meta set.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to gain access to the site by logging in as a newly registered user without proper authentication. This can lead to unauthorized access, potentially compromising the confidentiality, integrity, and availability of the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves an authentication bypass in the 'register_member' function of the User Registration & Membership WordPress plugin, allowing unauthenticated attackers to log in as newly registered users with the 'urm_user_just_created' user meta set."}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check if your WordPress installation is running the User Registration & Membership plugin version 5.1.2 or earlier.'}, {'type': 'paragraph', 'content': "You can also monitor for suspicious POST requests to the AJAX action 'register_member' that might be attempting to exploit this bypass."}, {'type': 'list_item', 'content': "Use WP-CLI or database queries to identify users with the 'urm_user_just_created' meta key set, which indicates newly registered users potentially created via this vulnerability."}, {'type': 'list_item', 'content': 'Example WP-CLI command to find such users: wp user meta get <user_id> urm_user_just_created'}, {'type': 'list_item', 'content': "Example SQL query to find users with this meta key: SELECT user_id FROM wp_usermeta WHERE meta_key = 'urm_user_just_created';"}, {'type': 'list_item', 'content': "Monitor web server logs for POST requests to admin-ajax.php with the action parameter 'register_member' coming from unauthenticated sources."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to update the User Registration & Membership plugin to a version later than 5.1.2 where this authentication bypass vulnerability is fixed.'}, {'type': 'paragraph', 'content': "If an update is not immediately possible, consider disabling or restricting access to the 'register_member' AJAX action to authenticated users only, to prevent unauthenticated exploitation."}, {'type': 'paragraph', 'content': "Additionally, monitor and remove any suspicious users created with the 'urm_user_just_created' meta key."}, {'type': 'paragraph', 'content': "Implement web application firewall (WAF) rules to block or alert on suspicious POST requests targeting the 'register_member' AJAX endpoint."}] [1]