cleantalk
Vulnerabilities and Security Researches

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin, CVE-2026-3601

CVE, Research URL

CVE-2026-3601

Home page URL

Security reports for User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Application

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Published on
May 05, 2026
Research Description
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to append shortcode content to arbitrary pages they do not own or have permission to edit.
Affected versions
max 5.1.5.
Status
vulnerable
Previous vulnerability researches
CRM and Lead Management by vcita (CVE-2025-5240) , Jul 23, 2025
CRM and Lead Management by vcita (CVE-2024-13702) , Mar 27, 2025
CRM and Lead Management by vcita (CVE-2024-13703) , Mar 14, 2025
CRM and Lead Management by vcita (CVE-2023-2405) , Jun 07, 2024
CRM and Lead Management by vcita (CVE-2023-2404) , Jun 07, 2024
New vulnerability
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin (CVE-2026-3601) , May 05, 2026
Event Tickets and Registration (CVE-2026-42662) , May 05, 2026
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2026-2729) , May 05, 2026
Forminator – Contact Form, Payment Form & Custom Form Builder (CVE-2026-5192) , May 05, 2026
ElementsKit Elementor addons (CVE-2026-4362) , May 05, 2026