[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpy4XnTLwaujbEponEWDs5wmBTpnMByl8o2UZhzaK-M4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-6145","user-registration-membership-unauthenticated-missing-authorization-to-admin-approval-bypass-via-action-parameter","User Registration & Membership \u003C= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter","The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.","user-registration",null,"\u003C=5.1.5","5.1.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-13 19:52:48","2026-05-14 08:24:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb6b349f2-24c9-4921-bb5f-a7726ebc5c2a?source=api-prod",1,[22,23,24,25,26,27,28,29],"CHANGELOG.txt","assets\u002Fcss\u002Fadmin.scss","assets\u002Fjs\u002Ffrontend\u002Fuser-registration-recaptcha.js","assets\u002Fjs\u002Ffrontend\u002Fuser-registration-recaptcha.min.js","assets\u002Fjs\u002Ffrontend\u002Fuser-registration.js","assets\u002Fjs\u002Ffrontend\u002Fuser-registration.min.js","assets\u002Fjs\u002Fmodules\u002Fmembership\u002Ffrontend\u002Fuser-registration-membership-frontend.js","assets\u002Fjs\u002Fmodules\u002Fmembership\u002Ffrontend\u002Fuser-registration-membership-frontend.min.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-6145\n\n## 1. Vulnerability Summary\nThe **User Registration & Membership** plugin (up to 5.1.5) contains a missing authorization vulnerability within its registration logic. The plugin's internal helper method `is_admin_creation_process()` is used to determine if a registration request originates from the WordPress admin dashboard (e.g., an administrator manually creating a user). If this method returns `true`, the plugin bypasses \"Admin Approval\" requirements and \"Email Confirmation\" steps, assuming the user is being created by a trusted authority.\n\nThe vulnerability exists because `is_admin_creation_process()` relies solely on checking if the `action` parameter in the `$_REQUEST` superglobal is set to `createuser`. It performs no capability checks (`current_user_can`) or authentication verification. An unauthenticated attacker can include `action=createuser` in a standard frontend registration request to bypass administrative oversight.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The \"fallback submission path,\" which is a `POST` request to any frontend page containing a `[user_registration_form]` shortcode or the `admin-ajax.php` endpoint.\n*   **Vulnerable Parameter:** `action=createuser` (added to the `$_REQUEST` \u002F `$_POST` body).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** \n    *   The plugin must have a registration form published on a page.\n    *   \"User Login Option\" in settings should ideally be set to \"Admin Approval\" or \"Email Confirmation\" to demonstrate the bypass.\n\n## 3. Code Flow\n1.  A user submits a registration form on the frontend.\n2.  The plugin's form handler (likely in `includes\u002Fclass-ur-frontend-form-handler.php`) catches the `POST` request.\n3.  During the user creation process, the plugin determines the initial user status (e.g., `active`, `pending`).\n4.  The plugin calls `is_admin_creation_process()` (often located in a utility or main class).\n5.  **Vulnerable Logic:**\n    ```php\n    public function is_admin_creation_process() {\n        if ( isset( $_REQUEST['action'] ) && 'createuser' === $_REQUEST['action'] ) {\n            return true; \u002F\u002F Vulnerability: No capability check here.\n        }\n        return false;\n    }\n    ```\n6.  If it returns `true`, the plugin assigns the user an \"Approved\" status immediately, bypassing the configured `admin_approval` requirement.\n7.  The user is created and can log in immediately.\n\n## 4. Nonce Acquisition Strategy\nThe User Registration plugin uses a nonce to protect form submissions. This nonce is localized for the frontend.\n\n1.  **Identify Shortcode:** The plugin uses `[user_registration_form id=\"\u003CID>\"]`.\n2.  **Setup Page:** Create a page with a known form ID.\n3.  **Variable Name:** The plugin localizes data into the `user_registration_params` object.\n4.  **Nonce Key:** The key is typically `ur_frontend_form_nonce`.\n5.  **Acquisition via `browser_eval`:**\n    ```javascript\n    window.user_registration_params?.ur_frontend_form_nonce\n    ```\n\n## 5. Exploitation Strategy\n\n### Step 1: Configuration\nEnsure the plugin is configured to require admin approval for new users.\n\n### Step 2: Form Discovery\nIdentify the required field names for a specific form. Fields are usually prefixed with the field type and suffixed with the form ID (e.g., `user_login_100`, `user_email_100`).\n\n### Step 3: Payload Construction\nConstruct a `POST` request mimicking a regular registration but adding the `action` parameter.\n\n**Request Details:**\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php` (or the URL of the page containing the form).\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `user_login_\u003CID>`: `attacker_user`\n    *   `user_email_\u003CID>`: `attacker@example.com`\n    *   `user_pass_\u003CID>`: `Password123!`\n    *   `ur_frontend_form_nonce`: `\u003CEXTRACTED_NONCE>`\n    *   `form_id`: `\u003CID>`\n    *   **`action`**: `createuser`  \u003C-- **The Bypass Payload**\n\n### Step 4: Execution\nSubmit the request using the `http_request` tool.\n\n## 6. Test Data Setup\n1.  **Create Form:** Use WP-CLI to ensure a form exists (or use the default form created upon installation).\n    *   `wp post list --post_type=user_registration` to find the form ID.\n2.  **Configure Approval:** Set the plugin option to require admin approval.\n    *   `wp option update user_registration_general_setting_login_options admin_approval`\n3.  **Create Page:**\n    *   `wp post create --post_type=page --post_title=\"Register\" --post_status=publish --post_content='[user_registration_form id=\"\u003CFORM_ID>\"]'`\n4.  **Extract Form Fields:** Navigate to the page and inspect the `input` names within the `\u003Cform>`.\n\n## 7. Expected Results\n*   **Normal Registration (Without Payload):** The response indicates the user is \"under approval\" or \"pending.\" The `wp_users` table shows the user, but `wp_usermeta` shows a `user_status` of `pending`.\n*   **Exploited Registration (With `action=createuser`):** The response indicates successful registration\u002Flogin. The user is created with an \"Approved\" status.\n\n## 8. Verification Steps\nAfter sending the `POST` request, verify the user's status using WP-CLI:\n\n1.  **Check User Existence:**\n    *   `wp user get attacker_user`\n2.  **Check Approval Status:**\n    *   `wp user meta get attacker_user user_registration_status`\n    *   *Expected Result:* If the value is `approved` or empty (depending on version logic) instead of `pending`, the bypass was successful.\n3.  **Attempt Login:**\n    *   Try to authenticate via `wp-login.php` with the new credentials.\n\n## 9. Alternative Approaches\nIf the `admin-ajax.php` route is blocked or requires a different action string for routing (e.g., `user_registration_user_register_ajax`), the `action=createuser` parameter can be sent as a query string parameter while the registration action is sent in the POST body:\n\n`POST \u002Fwp-admin\u002Fadmin-ajax.php?action=createuser`\n`Body: action=user_registration_user_register_ajax&...`\n\nAlternatively, if the \"fallback path\" is targeted (standard POST to a page), the `action` parameter should be included in the POST body alongside the form fields. This is often the more reliable path for this specific vulnerability as it targets the non-AJAX processing logic where `is_admin_creation_process()` is most likely to be invoked without a conflicting routing `action`.","The User Registration & Membership plugin for WordPress (up to 5.1.5) fails to validate administrative privileges in its `is_admin_creation_process()` helper method. Unauthenticated attackers can include an `action=createuser` parameter in a standard registration request to bypass 'Admin Approval' and 'Email Confirmation' settings, resulting in immediate account activation.","\u002F\u002F Potential path: includes\u002Fclass-user-registration.php\npublic function is_admin_creation_process() {\n    if ( isset( $_REQUEST['action'] ) && 'createuser' === $_REQUEST['action'] ) {\n        return true; \u002F\u002F Vulnerability: No capability check here.\n    }\n    return false;\n}","--- a\u002Fincludes\u002Fclass-user-registration.php\n+++ b\u002Fincludes\u002Fclass-user-registration.php\n@@ -1015,7 +1015,7 @@\n \tpublic function is_admin_creation_process() {\n-\t\tif ( isset( $_REQUEST['action'] ) && 'createuser' === $_REQUEST['action'] ) {\n+\t\tif ( isset( $_REQUEST['action'] ) && 'createuser' === $_REQUEST['action'] && current_user_can( 'create_users' ) ) {\n \t\t\treturn true;\n \t\t}\n \n \t\treturn false;","An unauthenticated attacker identifies a frontend registration page and extracts the `ur_frontend_form_nonce` from the `user_registration_params` localized script object. They then send a POST request to either the page URL or `admin-ajax.php` containing the standard registration fields (e.g., `user_login_\u003CID>`) plus the parameter `action=createuser`. This payload causes the `is_admin_creation_process()` check to return true because it only checks for the presence of the string 'createuser' in the request without verifying the user's capabilities. As a result, the plugin bypasses the 'Admin Approval' requirement and immediately activates the account.","gemini-3-flash-preview","2026-05-14 16:50:20","2026-05-14 16:51:12",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.1.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags\u002F5.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-registration.5.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags\u002F5.1.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-registration.5.1.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags"]