A critical security vulnerability in the User Registration & Membership WordPress plugin allows unauthenticated attackers to create administrator accounts. The flaw affects all sites running plugin versions up to 5.1.2 and is patched in version 5.1.3. Security company Wordfence disclosed the issue in a public Wordfence advisory on its threat intelligence site.
WordPress User Registration & Membership Plugin Vulnerability
User Registration & Membership is a WordPress plugin used to build and manage membership sites with custom registration workflows. It supports custom registration forms, user role assignments, content restriction, subscription plans, and payment collection. According to the Wordfence advisory, it is installed on more than 60,000 websites.
The plugin's marketplace listing highlights features such as custom login forms, user profiles, and content restriction controls. These capabilities make it a common choice for sites with gated content or paid membership programs. Any site still running a vulnerable version inherits the flawed registration behavior.
Key Details
- The vulnerability is rated 9.8 out of 10 and classified as critical severity in the Wordfence advisory.
- Wordfence identifies the issue as improper privilege management in the plugin's membership registration functionality.
- All plugin versions up to and including 5.1.2 are affected.
- Version 5.1.3 introduces a fix that restricts which roles can be assigned during membership registration.
- The vulnerability exists because the plugin accepts a user-supplied role value during registration without enforcing a server-side allowlist.
- Unauthenticated attackers can submit administrator as the desired role during registration and receive an administrator-level WordPress account.
- Administrator accounts can install or delete plugins, modify themes, upload code, manage user accounts, and access stored site data.
- The attack does not require an existing user account or prior authentication on the target site.
Background Context
Wordfence describes the issue as affecting the User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress. The advisory explains that the plugin accepts a user-supplied role during membership registration and does not properly enforce a server-side allowlist of permitted roles.
A server-side allowlist typically limits which user roles can be assigned during self-service registration. Without that control, the registration system processes any role submitted in the request payload, which enables the unauthenticated privilege escalation.
Wordfence reports that version 5.1.3 of the plugin contains the remediation. In the patched release, role assignment during registration is restricted to an approved set of roles, preventing registration submissions from assigning administrator or similarly elevated roles.
Source Citations
The following primary security advisory provides the technical details, affected versions, and severity rating referenced in this report.
- Wordfence advisory: User Registration & Membership 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration on Wordfence Threat Intelligence
.svg)
.svg)
.svg)