CVE-2026-6145

MEDIUM

User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-6145. PoCs published by Hann1bl3L3ct3r.

AI-analyzed exploit summary The repository contains a functional Python-based PoC for CVE-2026-6145, demonstrating an unauthenticated admin approval bypass in the User Registration & Membership WordPress plugin (≤ 5.1.5). The exploit chains three issues: unauthenticated nonce generation, AJAX nonce bypass, and the core missing authorization flaw in `is_admin_creation_process()`.

Description

The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.

Exploits (1)

nomisec WORKING POC

by Hann1bl3L3ct3r · poc

https://github.com/Hann1bl3L3ct3r/CVE-2026-6145

View Code ZIP pw:eip

The repository contains a functional Python-based PoC for CVE-2026-6145, demonstrating an unauthenticated admin approval bypass in the User Registration & Membership WordPress plugin (≤ 5.1.5). The exploit chains three issues: unauthenticated nonce generation, AJAX nonce bypass, and the core missing authorization flaw in `is_admin_creation_process()`.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: User Registration & Membership for WordPress ≤ 5.1.5

No auth needed

Prerequisites: WordPress site with vulnerable plugin version · Registration enabled · Admin approval required · Known registration form ID

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 15, 2026 Full analysis →

References (2)

Core 2

Core References

https://plugins.trac.wordpress.org/changeset/3516468/user-registration/trunk/includes/class-ur-user-approval.php

https://www.wordfence.com/threat-intel/vulnerabilities/id/b6b349f2-24c9-4921-bb5f-a7726ebc5c2a?source=cve

Scores

CVSS v3 5.3

EPSS 0.0014

EPSS Percentile 33.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

wpeverest/User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder < 5.1.5

Published May 14, 2026

Tracked Since May 14, 2026