An advisory has been published about a critical vulnerability discovered in the User Registration & Membership plugin for WordPress, installed on more than 60,000 websites. The vulnerability is rated 9.8/10. It enables unauthenticated attackers to create administrator-level accounts.

User Registration & Membership WordPress Plugin

The plugin is used to build membership websites. It allows site owners to create custom registration forms, assign user roles, restrict content behind subscription plans, and accept payments for access.

Unauthenticated Privilege Escalation

The issue affects all versions up to and including 5.1.2.

The vulnerability is due to improper privilege management during membership registration. The plugin accepts a user-supplied role when someone registers but does not properly enforce a server-side allowlist of permitted roles.

A server-side allowlist is a security control that limits which user roles can be assigned during registration. Without that restriction, the system processes whatever role value is submitted.

Because this check is missing, an attacker can supply administrator as the role during registration.

What Attackers Can Do

This makes it possible for unauthenticated attackers to create administrator accounts.

An administrator account has full control over a WordPress website. With administrator access, an attacker can:

• Install or delete plugins
• Modify themes
• Upload malicious code
• Create or delete user accounts
• Access site data
• Creating an administrator account effectively gives an attacker control of the site.

According to the Wordfence advisory:

“The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.”

Affected and Patched Versions

The vulnerability affects all versions up to and including 5.1.2.

It has been patched in version 5.1.3.

The fix restricts which roles can be assigned during membership registration, preventing users from submitting elevated roles such as administrator.

What Site Owners Should Do

Users of the User Registration & Membership plugin should update to version 5.1.3 or newer. Because the vulnerability does not require authentication, sites that remain on vulnerable versions are exposed to administrator account creation by attackers. Updating the plugin removes the ability for users to assign privileged roles during registration.

Featured Image by Shutterstock/Kues