Impact
The vulnerability arises from the Pie Register WordPress plugin before version 3.8.4.10, which generates account verification tokens that are not sufficiently random. Because the token generation algorithm produces predictable values, an attacker who can anticipate or compute a valid token can activate a user account without ever accessing the account’s associated email inbox. The consequence of a successful exploitation is that a malicious actor can create a verified account on the WordPress site and access any content or features available to a registered user. The weakness is consistent with randomness failures and insufficient confidentiality, typical of CWE‑330 and CWE‑200.
Affected Systems
WordPress installations that have the Pie Register plugin older than 3.8.4.10 are affected. Any site using the vulnerable plugin version is at risk of unauthorized account activation. No additional vendor or deployment details are provided, so the threat applies broadly to all affected WordPress sites regardless of hosting environment.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation can be performed from the public web interface, requiring only the ability to generate a valid verification token. The attacker does not need prior authentication or privileged access to the server; the public registration endpoint is sufficient for the attack. The lack of a formal exploitation probability makes the actual likelihood uncertain, but the moderate CVSS suggests that the vulnerability could be abused if a credential or predictable token algorithm is understood. Attackers are likely to attempt token prediction or brute‑force enumeration to activate accounts.
OpenCVE Enrichment