An advisory has been published about a critical vulnerability discovered in the User Registration & Membership plugin for WordPress, installed on more than 60,000 websites. The vulnerability is rated 9.8\/10. It enables unauthenticated attackers to create administrator-level accounts.<\/p>\n
User Registration & Membership WordPress Plugin<\/p>\n
The plugin is used to build membership websites. It allows site owners to create custom registration forms, assign user roles, restrict content behind subscription plans, and accept payments for access.<\/p>\n
Unauthenticated Privilege Escalation<\/p>\n
The issue affects all versions up to and including 5.1.2.<\/p>\n
The vulnerability is due to improper privilege management during membership registration. The plugin accepts a user-supplied role when someone registers but does not properly enforce a server-side allowlist of permitted roles.<\/p>\n
A server-side allowlist is a security control that limits which user roles can be assigned during registration. Without that restriction, the system processes whatever role value is submitted.<\/p>\n
Because this check is missing, an attacker can supply administrator as the role during registration.<\/p>\n
What Attackers Can Do<\/p>\n
This makes it possible for unauthenticated attackers to create administrator accounts.<\/p>\n
An administrator account has full control over a WordPress website. With administrator access, an attacker can:<\/p>\n
Install or delete plugins
\nModify themes
\nUpload malicious code
\nCreate or delete user accounts
\nAccess site data
\nCreating an administrator account effectively gives an attacker control of the site.<\/p>\n