Description
Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

The WordPress User Registration plugin contains an Incorrect Privilege Assignment flaw that allows an attacker to gain higher permissions than intended. This weakness is classified as CWE‑266, indicating improper assignment of user privileges. If exploited, the attacker can operate with elevated rights on the site, potentially altering content, user roles, or sensitive settings.

Affected Systems

All releases of the WPeverset User Registration plugin through version 4.4.9 are affected. WordPress sites still using any of these versions remain vulnerable, as the flaw resides in the component that processes user registrations and assigns roles.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no widespread public exploitation to date. The likely attack path involves the plugin’s registration workflow, where manipulated input could trigger the incorrect privilege assignment and grant the attacker unauthorized permissions.

Generated by OpenCVE AI on March 27, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Registration plugin to any version newer than 4.4.9 to eliminate the vulnerability.
  • If an upgrade cannot be performed immediately, disable the plugin until a patched version is available.
  • Review existing user roles to verify that only legitimate accounts have elevated privileges.
  • Monitor registration logs and user activity for signs of unauthorized role changes.
  • Maintain up‑to‑date backups and verify restore procedures to mitigate potential damage.

Generated by OpenCVE AI on March 27, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9.
Title WordPress User Registration plugin <= 4.4.9 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
Wpeverest User Registration
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:39:51.790Z

Reserved: 2026-03-12T11:12:00.509Z

Link: CVE-2026-32488

cve-icon Vulnrichment

Updated: 2026-03-26T19:38:25.665Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:59.730

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:09Z

Weaknesses