Description
The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing unauthorized settings changes
Action: Immediate Patch
AI Analysis

Impact

The Restrict User Registration plugin contains a missing or incorrect nonce check in its update() function, which permits an unauthenticated attacker to send a forged request that modifies the plugin’s configuration settings. By tricking an administrator into clicking a crafted link or submitting a form, the attacker can change the plugin’s behavior, potentially enabling or disabling features, altering registration restrictions, or compromising site security. This represents a medium‑severity CSRF flaw (CWE-352).

Affected Systems

WordPress sites using the devrix Restrict User Registration plugin, any version up to and including 1.0.1, are affected. The issue impacts the plugin’s settings page accessed by site administrators. All installations of the plugin before the patched release are vulnerable.

Risk and Exploitability

The CVSS base score is 5.3, indicating medium severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation requires the attacker to convince an administrator to perform an action, which may be feasible through phishing or social engineering. The resulting unauthorized configuration changes could open pathways for further attacks by modifying user registration constraints or enabling undesirable access.

Generated by OpenCVE AI on April 21, 2026 at 02:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Restrict User Registration plugin to the latest available version (v1.0.2 or later) to restore proper nonce validation.
  • If an upgrade cannot be performed immediately, temporarily disable the plugin or revert to a backup before the change to prevent further configuration modification.
  • Monitor site logs for unexpected POST requests to the plugin’s settings endpoint and alert on anomalous activity.
  • Implement or enforce strict CSRF protections for all admin actions, ensuring nonces are validated consistently.

Generated by OpenCVE AI on April 21, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32263 The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Restrict User Registration <= 1.0.1 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:32.179Z

Reserved: 2025-09-02T23:02:42.696Z

Link: CVE-2025-9892

cve-icon Vulnrichment

Updated: 2025-10-03T18:14:53.160Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:50.303

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses