CVE-2026-6145 - Vulnerability Analysis
MediumCVSS: 5.3Last Updated: May 14, 2026
User Registration & Membership WordPress plugin - Broken Access Control
Published: May 14, 2026Updated: May 14, 2026PoC AvailableRemote Exploitable
Overview
User Registration & Membership WordPress plugin <= 5.1.5 contains a missing authorization vulnerability caused by lack of authentication in is_admin_creation_process() method relying on action=createuser, letting unauthenticated attackers bypass admin approval when registering new accounts.
Severity & Score
Severity: Medium
CVSS Score: 5.3
Impact
Unauthenticated attackers can bypass admin approval to create new accounts, potentially leading to unauthorized access or privilege escalation.
Mitigation
Update to the latest version beyond 5.1.5.
References
Related Resources
Details
- CVE ID
- CVE-2026-6145
- Severity
- Medium
- CVSS Score
- 5.3
- Type
- broken_access_control
- Status
- rejected
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N