CVE-2026-1779

HIGH EPSS 25.3%

Published Feb 26, 20264mo ago · Modified Jun 17, 20261w ago

8.1 CVSS 3.1

High

Published Feb 26, 2026 4mo ago

Last Modified Jun 17, 2026 1w ago

Description

The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.

CVSS Details

Base Score

8.1

Exploitability

2.2

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity High

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

25.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-288

References 2

plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/user-registration/tags/5.0.4/modules/membership/includes/AJAX.php#L246
wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/d99bc021-ba9e-4294-8dd2-c25bc8007d05?source=cve

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.