WP-Safety
CVE-2026-32488

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 4.4.9 - Unauthenticated Remote Code Execution

criticalIncorrect Privilege Assignment
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
5.1.3
Patched in
44d
Time to patch

Description

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.4.9. This makes it possible for unauthenticated attackers to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=4.4.9
PublishedMarch 23, 2026
Last updatedMay 5, 2026
Affected pluginuser-registration

Source Code

WordPress.org SVN
Vulnerable v5.1.2
Browse source Download .zip
Patched v5.1.3
Browse source Download .zip
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/37e1a755-7c17-4cb4-acca-9f26238230f3?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database