CVE-2026-14250
Received Received - Intake

Privilege Escalation in Themehunk Login Registration WordPress Plugin

Vulnerability report for CVE-2026-14250, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Wordfence

Description

The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter and validating it only against get_editable_roles() β€” which returns every defined editable site role, including 'editor' β€” before passing it to wp_insert_user(). This makes it possible for unauthenticated attackers, when public user registration is enabled, to create new accounts with the editor role.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
themehunk login_registration to 1.0.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Themehunk Login Registration plugin for WordPress has a vulnerability in versions up to and including 1.0.2 that allows privilege escalation. This occurs because the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepts a user-controlled 'role' parameter. The function only validates this parameter against get_editable_roles(), which includes all editable roles such as 'editor'. As a result, unauthenticated attackers can create new user accounts with elevated roles like 'editor' if public user registration is enabled.

Impact Analysis

This vulnerability can allow unauthenticated attackers to create new user accounts with elevated privileges, such as the 'editor' role, on a WordPress site using the vulnerable plugin. This can lead to unauthorized access, modification of content, and potentially further compromise of the website.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized creation of user accounts with elevated roles such as 'editor' via the /thlogin/v1/register REST endpoint. Since the vulnerability involves an unauthenticated REST API endpoint accepting a user-controlled 'role' parameter, inspecting HTTP requests to this endpoint for suspicious role assignments is key.

You can use network monitoring tools or web server logs to identify POST requests to /thlogin/v1/register that include a 'role' parameter set to elevated roles like 'editor'.

Example commands to detect such activity might include:

  • Using grep on web server access logs to find suspicious POST requests: grep 'POST /thlogin/v1/register' /var/log/apache2/access.log | grep 'role=editor'
  • Using curl to test the endpoint manually (for detection or verification): curl -X POST https://yourwordpresssite.com/thlogin/v1/register -d 'username=testuser&password=TestPass123&role=editor'

Additionally, checking the WordPress user database for recently created users with elevated roles can help detect exploitation.

Mitigation Strategies

To mitigate this vulnerability immediately, you should disable public user registration if it is not required, as the exploit depends on public registration being enabled.

If public registration is necessary, restrict or disable the vulnerable REST endpoint /thlogin/v1/register until a patch is applied.

Update the Themehunk Login Registration plugin to a version later than 1.0.2 once a fixed version is released.

As a temporary workaround, you can implement web application firewall (WAF) rules to block requests that attempt to set the 'role' parameter to elevated roles such as 'editor'.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart