Description
The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pie_main() function in all versions up to, and including, 3.8.4.8. This makes it possible for unauthenticated attackers to change registration form status.
Published: 2026-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Pie Register plugin for WordPress lacks a capability check in the pie_main() function in all releases up to 3.8.4.8. This flaw permits any unauthenticated user to submit requests that alter the registration form status, effectively changing how new users register on the site. The unauthorized modification represents a data integrity issue and a privilege escalation vector, allowing attackers to enable or disable registration forms without permission. The identified weakness corresponds to CWE‑862, Unauthorized Access – Privilege Escalation.

Affected Systems

WordPress sites that use the Genetechproducts Pie Register – User Registration, Profiles & Content Restriction plugin. Vulnerable versions are all releases up to and including 3.8.4.8; any installation on a WordPress site running those versions is affected.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑to‑high severity vulnerability. Although no EPSS score is provided and the issue is not listed in CISA’s KEV catalog, the lack of authentication makes it theoretically exploitable by any external actor reaching the plugin’s endpoints. The likely attack path involves sending crafted requests to the registration form status endpoint, which the plugin processes without verifying user capabilities.

Generated by OpenCVE AI on April 4, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Pie Register plugin to the latest version that includes the fix (at least 3.8.4.9).
  • Verify the update by ensuring that unauthenticated requests can no longer modify the registration form status.
  • If the update cannot be applied immediately, restrict unauthenticated access to the pie_main endpoint using a firewall rule or a WordPress security plugin to block unauthorized POST requests.
  • Continuously monitor the site for any unauthorized changes to registration form settings and review audit logs for anomalous activity.

Generated by OpenCVE AI on April 4, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Genetechproducts
Genetechproducts pie Register – User Registration, Profiles & Content Restriction
Wordpress
Wordpress wordpress
Vendors & Products Genetechproducts
Genetechproducts pie Register – User Registration, Profiles & Content Restriction
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pie_main() function in all versions up to, and including, 3.8.4.8. This makes it possible for unauthenticated attackers to change registration form status.
Title Pie Register – User Registration, Profiles & Content Restriction <= 3.8.4.8 - Missing Authorization to Unauthenticated Registration Form Status Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Genetechproducts Pie Register – User Registration, Profiles & Content Restriction
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:02.699Z

Reserved: 2026-03-04T21:06:23.152Z

Link: CVE-2026-3571

cve-icon Vulnrichment

Updated: 2026-04-06T13:22:11.197Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T02:15:59.310

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-3571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:21:06Z

Weaknesses