CVE-2026-3601
Unauthorized Data Modification in User Registration & Membership WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpengine | user_registration_and_membership | to 5.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The User Registration & Membership plugin for WordPress has a vulnerability due to a missing capability check in the embed_form_action() function in all versions up to and including 5.1.4.
This flaw allows authenticated attackers with Contributor-level access or higher to append shortcode content to arbitrary pages they do not own or have permission to edit.
How can this vulnerability impact me? :
This vulnerability can allow attackers with limited access (Contributor-level or above) to modify content on pages they should not be able to edit by appending shortcode content.
Such unauthorized modifications could lead to content manipulation, potential misinformation, or insertion of malicious shortcodes that affect site behavior or appearance.