cleantalk
Vulnerabilities and Security Researches

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin, CVE-2026-4056

CVE, Research URL

CVE-2026-4056

Home page URL

Security reports for User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Application

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Published on
Mar 24, 2026
Research Description
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access.
Affected versions
max 5.1.5.
Status
vulnerable
Previous vulnerability researches
Restrict User Registration (CVE-2023-53599) , Nov 10, 2025
Restrict User Registration (CVE-2025-32655) , Apr 14, 2025
User Registration Aide (CVE-2025-53239) , Nov 10, 2025
User Registration Using Contact Form 7 (CVE-2025-12825) , Jan 28, 2026
User Registration Using Contact Form 7 (CVE-2025-32679) , Apr 11, 2025
New vulnerability
VI: Include Post By (CVE-2026-5717) , Apr 17, 2026
Responsive Accordion Slider (CVE-2026-0635) , Apr 17, 2026
Petje.af (CVE-2026-4002) , Apr 17, 2026
LinkedIn SC (CVE-2026-0812) , Apr 17, 2026
Coachific Shortcode (CVE-2026-4005) , Apr 17, 2026