Description
The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.
Published: 2026-04-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect after logout
Action: Immediate Patch
AI Analysis

Impact

The User Registration & Membership plugin for WordPress contains an open redirect flaw that allows an unauthenticated attacker to influence the location users are sent to after logging out. By supplying a crafted 'redirect_to_on_logout' query parameter the request bypasses WordPress's safe redirect checks and is processed by wp_redirect(), resulting in a redirection to an arbitrary external site. This weakness corresponds to CWE‑601 and can be exploited to facilitate phishing or drive-by infection attacks when users are tricked into following malicious links.

Affected Systems

WordPress websites that use the User Registration & Membership plugin version 5.1.4 or earlier are vulnerable. The plugin provides free and paid membership, subscription, content restriction, user profile, and custom registration & login features. Sites running legacy versions of the plugin are at risk until they are updated.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.1. While a precise EPSS score is not available, the flaw is not noted in the CISA KEV catalog. Attackers could exploit it remotely by directing users to a malicious URL after logout; this attack vector is inferred from the description because the flaw arises from an unauthenticated GET request. Successful exploitation would give an attacker the ability to lure users to phishing or malware delivery sites, compromising user trust and potentially leading to credential theft or broader compromise.

Generated by OpenCVE AI on April 13, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Registration & Membership plugin to a version newer than 5.1.4

Generated by OpenCVE AI on April 13, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.
Title User Registration & Membership <= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpeverest User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T14:04:53.123Z

Reserved: 2026-04-13T09:51:20.465Z

Link: CVE-2026-6203

cve-icon Vulnrichment

Updated: 2026-04-14T14:04:14.805Z

cve-icon NVD

Status : Received

Published: 2026-04-13T23:16:28.110

Modified: 2026-04-13T23:16:28.110

Link: CVE-2026-6203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:32:51Z

Weaknesses