cleantalk
Vulnerabilities and Security Researches

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin, CVE-2026-6145

CVE, Research URL

CVE-2026-6145

Home page URL

Security reports for User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Application

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Published on
May 14, 2026
Research Description
The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.
Affected versions
max 5.1.6.
Status
vulnerable
Previous vulnerability researches
PDF Generator For Fluent Forms – The Contact Form Plugin (CVE-2023-6953) , Jun 06, 2024
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder (CVE-2025-13748) , Jan 10, 2026
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder (CVE-2024-5053) , Sep 01, 2024
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder (CVE-2024-9528) , Oct 05, 2024
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder (CVE-2024-13666) , Mar 23, 2025
New vulnerability
Meta Field Block (CVE-2026-6252) , May 16, 2026
Gallery Plugin for WordPress – Envira Photo Gallery (CVE-2026-5361) , May 15, 2026
Database Backup for WordPress (CVE-2026-4029) , May 15, 2026
Database Backup for WordPress (CVE-2026-4031) , May 15, 2026
Database Backup for WordPress (CVE-2026-4030) , May 15, 2026