cleantalk
Vulnerabilities and Security Researches

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin, CVE-2026-6145

CVE, Research URL

CVE-2026-6145

Home page URL

Security reports for User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Application

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Published on
May 14, 2026
Research Description
The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.
Affected versions
max 5.1.6.
Status
vulnerable
Previous vulnerability researches
Royal Elementor Addons and Templates (CVE-2025-11363) , Jan 27, 2026
Royal Elementor Addons and Templates (CVE-2026-2373) , Apr 13, 2026
Royal Elementor Addons and Templates (CVE-2026-0664) , Apr 13, 2026
Royal Elementor Addons and Templates (70e3861f811c847c408946a4394074851b3e632a) , Jun 07, 2024
Royal Elementor Addons and Templates (CVE-2026-6504) , May 15, 2026
New vulnerability
Meta Field Block (CVE-2026-6252) , May 16, 2026
Gallery Plugin for WordPress – Envira Photo Gallery (CVE-2026-5361) , May 15, 2026
Database Backup for WordPress (CVE-2026-4029) , May 15, 2026
Database Backup for WordPress (CVE-2026-4031) , May 15, 2026
Database Backup for WordPress (CVE-2026-4030) , May 15, 2026