Description
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-10
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing deletion of arbitrary WordPress posts
Action: Immediate Patch
AI Analysis

Impact

The User Registration & Membership plugin for WordPress is vulnerable to a CSRF flaw caused by missing or incorrect nonce validation in the 'process_row_actions' function for the 'delete' action. This flaw permits an attacker to create a forged request that, when executed by a site administrator, will delete any post the admin has permission to delete. The impact is a loss of content integrity and potential availability disruption if critical posts are removed. The weakness is categorized as CWE‑352, indicating an improper defensive measure against cross‑site request forgery.

Affected Systems

All WordPress sites running the User Registration & Membership plugin up to and including version 4.4.8 are affected. This includes installations with the free and paid membership features, subscription management, content restriction, user profile, and custom registration or login builder functionality provided by the wpeverest plugin.

Risk and Exploitability

The CVSS score of 5.4 places the vulnerability in the moderate severity range. The EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the vulnerability is not listed on the CISA KEV catalog. Attackers would need to entice a site administrator to visit a crafted URL or click a malicious link in order to trigger the deletion. The known exploit path relies on CSRF; no additional privileges or code execution are required, making it a simple yet potentially damaging attack vector for sites that frequently publish valuable content.

Generated by OpenCVE AI on April 20, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the most recent release that includes proper nonce validation for the delete action.
  • If an upgrade cannot be performed immediately, disable the delete capability for unauthenticated users by removing the delete link from non‑admin pages or restricting the 'process_row_actions' hook to administrator roles only.
  • Verify that all form or AJAX endpoints performing deletions are protected by a valid nonce, and add an additional nonce check where missing to guard against CSRF attacks.

Generated by OpenCVE AI on April 20, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration
Wpeverest user Registration & Membership
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration
Wpeverest user Registration & Membership

Mon, 12 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title User Registration & Membership <= 4.4.8 - Cross-Site Request Forgery to Arbitrary Post Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpeverest User Registration User Registration & Membership
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:48.492Z

Reserved: 2025-12-19T15:49:21.390Z

Link: CVE-2025-14976

cve-icon Vulnrichment

Updated: 2026-01-12T13:08:18.344Z

cve-icon NVD

Status : Deferred

Published: 2026-01-10T09:15:48.863

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses