User Registration & Membership < 5.1.5 – Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification | CVE 2026-3601 | Plugin Vulnerabilities

Description

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to append shortcode content to arbitrary pages they do not own or have permission to edit.

Affects Plugins

user-registration

Fixed in 5.1.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c8798fb2-4cab-4960-9e32-fd74bb4a5091

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Hunter Jensen (skid)

Verified

No

WPVDB ID

1c68afed-33a2-4ce8-8b64-c118170d5c35

Timeline

Publicly Published

2026-05-04 (about 9 days ago)

Added

2026-05-04 (about 8 days ago)

Last Updated

2026-05-05 (about 8 days ago)

Other

Published

Title

Published

2026-05-05

Title

Ninja Tables < 5.2.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation

Published

2024-11-18

Title

Banner System <= 1.0.0 - Privilege Escalation

Published

2025-12-05

Title

Constant Contact + WooCommerce < 2.4.2 - Missing Authorization

Published

2024-04-29

Title

MailerLite – Signup forms (official) < 1.7.7 - Missing Authorization

Published

2025-08-22

Title

WC Plus <= 1.2.0 - Missing Authorization to Unauthenticated Settings Manipulation