Description
The Pie Register WordPress plugin before 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, allowing unauthenticated attackers to predict a valid token and activate an account without access to the associated email inbox.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Pie Register WordPress plugin before version 3.8.4.10, which generates account verification tokens that are not sufficiently random. Because the token generation algorithm produces predictable values, an attacker who can anticipate or compute a valid token can activate a user account without ever accessing the account’s associated email inbox. The consequence of a successful exploitation is that a malicious actor can create a verified account on the WordPress site and access any content or features available to a registered user. The weakness is consistent with randomness failures and insufficient confidentiality, typical of CWE‑330 and CWE‑200.

Affected Systems

WordPress installations that have the Pie Register plugin older than 3.8.4.10 are affected. Any site using the vulnerable plugin version is at risk of unauthorized account activation. No additional vendor or deployment details are provided, so the threat applies broadly to all affected WordPress sites regardless of hosting environment.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation can be performed from the public web interface, requiring only the ability to generate a valid verification token. The attacker does not need prior authentication or privileged access to the server; the public registration endpoint is sufficient for the attack. The lack of a formal exploitation probability makes the actual likelihood uncertain, but the moderate CVSS suggests that the vulnerability could be abused if a credential or predictable token algorithm is understood. Attackers are likely to attempt token prediction or brute‑force enumeration to activate accounts.

Generated by OpenCVE AI on June 22, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pie Register plugin to version 3.8.4.10 or later, which corrects the token generation logic.
  • In the interim, restrict or temporarily disable public user registration until the patch is applied, to prevent new user accounts from being created via the vulnerable token system.
  • Enable two‑factor authentication for all user accounts if the WordPress installation or another plugin provides it, adding an extra layer for account protection.

Generated by OpenCVE AI on June 22, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Pie Register
Pie Register pie Register
Wordpress
Wordpress wordpress
Vendors & Products Pie Register
Pie Register pie Register
Wordpress
Wordpress wordpress

Mon, 22 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-330

Mon, 22 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-330

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-330

Mon, 22 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Pie Register WordPress plugin before 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, allowing unauthenticated attackers to predict a valid token and activate an account without access to the associated email inbox.
Title Pie Register < 3.8.4.10 - Unauthenticated Email Verification Bypass via Predictable Token
References

Subscriptions

Pie Register Pie Register
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-22T16:35:29.679Z

Reserved: 2026-06-01T11:10:04.525Z

Link: CVE-2026-10530

cve-icon Vulnrichment

Updated: 2026-06-22T16:10:30.683Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:34Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-330

    Use of Insufficiently Random Values