Description
Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.9.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability permits an attacker to execute arbitrary shortcodes through the User Registration plugin because the plugin’s access control is incorrectly configured. This missing authorization flaw allows code to run with the privileges of the WordPress installation, potentially compromising the entire site. The weakness aligns with missing authorization (CWE‑862) and results in an impact of remote code execution.

Affected Systems

The flaw affects the User Registration plugin from its earliest available version through version 4.4.9. Any WordPress installation using wpeverest’s User Registration plugin up to that point is vulnerable.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability is deemed medium severity, yet current exploit probability is low (EPSS < 1%) and it is not listed in the CISA KEV catalog. The likely attack vector is a crafted request to the plugin’s shortcode functionality, exploitable by users who can inject content or by administrators lacking proper access controls. Until a patch is applied, the risk remains moderate if an attacker can leverage the shortcode mechanism on the site.

Generated by OpenCVE AI on April 28, 2026 at 18:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest User Registration plugin (4.5 or newer) to eliminate the flaw.
  • Configure the plugin to restrict shortcode execution to trusted roles such as administrators, ensuring unauthenticated or lower‑privilege users cannot trigger the shortcode.
  • If an upgrade is not immediately possible, disable or remove the User Registration plugin or remove the shortcode functionality from the registration form until the issue is fixed.

Generated by OpenCVE AI on April 28, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.9.
Title WordPress User Registration plugin <= 4.4.9 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpeverest User Registration
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:47.666Z

Reserved: 2026-01-22T14:42:24.566Z

Link: CVE-2026-24353

cve-icon Vulnrichment

Updated: 2026-01-23T16:48:46.863Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:38.910

Modified: 2026-04-28T03:16:02.620

Link: CVE-2026-24353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses