WordPress Plugin Vulnerabilities

User Registration < 5.0 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Description

The The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.4.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
user-registration
Fixed in 5.0

References

CVE
CVE-2026-24353
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd4c2c11-2d73-48b4-8e7e-e281451973a2

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Kishan Vyas
Verified
No
WPVDB ID
04c9ab43-6f47-4ecf-a849-cfa839236472

Timeline

Publicly Published
2026-01-08 (about 4 months ago)
Added
2026-02-03 (about 3 months ago)
Last Updated
2026-02-03 (about 3 months ago)

Other

Published
Title
Published
2024-01-03
Title
LearnPress < 4.2.5.8 - Unauthenticated Command Injection
Published
2022-10-03
Title
WP ALL Export Pro < 1.7.9 - Authenticated Code Injection
Published
2025-02-07
Title
WP All Export Pro < 1.9.2 - Unauthenticated Remote Code Execution via Custom Export Fields
Published
2022-06-28
Title
Import any XML or CSV File to WordPress < 3.6.8 - Admin+ Arbitrary Code Execution
Published
2025-07-31
Title
Product XML Feed Manager for WooCommerce < 2.9.4 - Authenticated (Contributor+) Remote Code Execution