Description
Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.
Published: 2026-06-17
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the User Registration Stripe plugin permits unauthenticated users to perform actions that should be reserved for privileged roles. The broken access control allows an attacker to access or modify sensitive plugin settings, potentially exposing data or redirecting payment flows. The vulnerability falls under CWE-862, which indicates improper authorization checks.

Affected Systems

The issue affects installations of the ThemeGrill WordPress User Registration Stripe plugin version 1.3.12 and earlier. Users running these plugin versions on any WordPress site are impacted regardless of the theme or other plugins installed.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity and the EPSS score is not available, but the lack of a current EPSS does not reduce the risk of exploitation. Because the flaw can be triggered by unauthenticated traffic, an attacker could attempt the exploit from any network location. The vulnerability is not listed in the CISA KEV catalog, yet the high CVSS suggests that email alerts or threat feeds may still flag it for organizations with the plugin installed.

Generated by OpenCVE AI on June 18, 2026 at 14:33 UTC.

Remediation

Vendor Solution

Update the WordPress User Registration Stripe Plugin to the latest available version (at least 1.3.13).


OpenCVE Recommended Actions

  • Update the WordPress User Registration Stripe Plugin to version 1.3.13 or later to eliminate the access‑control flaw.
  • Disable or delete the plugin on sites that cannot be patched immediately to prevent exposure of the vulnerable functionality.
  • Audit WordPress user roles to ensure only legitimate administrators have elevated privileges and consider hardening tools to enforce least privilege.

Generated by OpenCVE AI on June 18, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themegrill
Themegrill user Registration Stripe
Wordpress
Wordpress wordpress
Vendors & Products Themegrill
Themegrill user Registration Stripe
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.
Title WordPress User Registration Stripe plugin <= 1.3.12 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}


Subscriptions

Themegrill User Registration Stripe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:31:15.344Z

Reserved: 2026-05-27T10:27:09.956Z

Link: CVE-2026-49081

cve-icon Vulnrichment

Updated: 2026-06-17T14:31:08.921Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:55Z

Weaknesses