CVE-2026-6145 Overview
CVE-2026-6145 is a Missing Authorization vulnerability [CWE-862] in the User Registration & Membership plugin for WordPress. The flaw affects all versions up to and including 5.1.5. The is_admin_creation_process() method checks only for the presence of action=createuser in the $_REQUEST superglobal. It performs no authentication or capability verification. Unauthenticated attackers can use this gap to bypass the admin approval requirement when registering accounts through the fallback submission path.
Critical Impact
Unauthenticated attackers can bypass administrator approval for new account registrations, undermining access control on sites that rely on manual approval as a registration safeguard.
Affected Products
- WordPress User Registration & Membership plugin, versions up to and including 5.1.5
Discovery Timeline
- 2026-05-14 - CVE-2026-6145 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6145
Vulnerability Analysis
The User Registration & Membership plugin supports an administrator approval workflow that requires a privileged user to approve new accounts before they become active. The plugin exposes a fallback submission path that routes registration through the is_admin_creation_process() method in class-ur-user-approval.php. That method determines whether the current request originates from an administrator-driven account creation.
The check inspects the $_REQUEST superglobal for action=createuser and returns true when found. No nonce, capability check, or authentication verification accompanies this decision. An unauthenticated visitor can craft a request that includes the same parameter and impersonate the administrator creation flow. The plugin then treats the registration as administrator-initiated and skips the approval gate.
This is a classic Missing Authorization weakness. The code relies on a request parameter as a trust signal instead of validating the caller's identity or role.
Root Cause
The root cause is the absence of current_user_can() or equivalent capability checks inside is_admin_creation_process(). The method also lacks nonce verification through wp_verify_nonce(). Authorization decisions are derived from attacker-controlled input.
Attack Vector
An attacker sends an unauthenticated HTTP request to the registration endpoint and includes action=createuser as a request parameter. The plugin treats the submission as if it came from the WordPress administrator user creation screen and provisions the account without the pending approval status. The result is an integrity impact: the approval workflow is bypassed and accounts become usable without administrator review.
For the code-level fix, see the WordPress Changeset Notification.
Detection Methods for CVE-2026-6145
Indicators of Compromise
- HTTP POST or GET requests to WordPress registration endpoints containing action=createuser in the query string or request body from unauthenticated sessions.
- New WordPress user accounts created without an associated entry in the user approval pending queue.
- Spikes in user registration volume that do not correlate with normal traffic patterns or marketing activity.
Detection Strategies
- Inspect web server access logs for unauthenticated requests carrying action=createuser parameters targeting the User Registration plugin endpoints.
- Audit the WordPress wp_users and wp_usermeta tables for accounts created after the plugin was installed that lack the ur_user_status pending flag.
- Correlate plugin version data with registration anomalies to identify hosts still running version 5.1.5 or earlier.
Monitoring Recommendations
- Enable WordPress audit logging to track user creation events and capture the originating IP, session, and request parameters.
- Forward web server and application logs to a centralized analytics platform for retention and query against the indicators above.
- Alert on registration events that occur outside of expected business hours or from low-reputation IP ranges.
How to Mitigate CVE-2026-6145
Immediate Actions Required
- Update the User Registration & Membership plugin to a release later than 5.1.5 that contains the fix from changeset 3516468.
- Review all user accounts created since the plugin was installed and disable any accounts that did not follow the expected approval workflow.
- Rotate credentials for any accounts that were provisioned with elevated roles during the exposure window.
Patch Information
The vendor addressed the issue in the class-ur-user-approval.php file. Technical details for the code change are available in the WordPress Changeset Notification and the Wordfence Vulnerability Analysis.
Workarounds
- If immediate patching is not possible, deactivate the User Registration & Membership plugin until the update can be applied.
- Deploy a web application firewall rule that blocks unauthenticated requests containing action=createuser to WordPress front-end endpoints.
- Temporarily disable open registration in WordPress settings to remove the fallback submission path from public reach.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
