{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67956", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:16.553Z", "datePublished": "2026-01-22T16:51:56.303Z", "dateUpdated": "2026-04-29T09:51:55.997Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "user-registration", "product": "User Registration", "vendor": "wpeverest", "versions": [{"changes": [{"at": "4.4.7", "status": "unaffected"}], "lessThanOrEqual": "4.4.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mdr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:20.982Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects User Registration: from n/a through <= 4.4.6.</p>"}], "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:55.997Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress User Registration plugin <= 4.4.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T17:17:14.821108Z", "id": "CVE-2025-67956", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T18:41:19.685Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67956", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T17:17:14.821108Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T17:17:09.071Z"}}], "cna": {"title": "WordPress User Registration plugin <= 4.4.6 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Mdr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "wpeverest", "product": "User Registration", "versions": [{"status": "affected", "changes": [{"at": "4.4.7", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 4.4.6"}], "packageName": "user-registration", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-01-22T17:43:49.960Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-6-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects User Registration: from n/a through <= 4.4.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-01-22T16:51:56.303Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67956", "state": "PUBLISHED", "dateUpdated": "2026-01-29T18:41:19.685Z", "dateReserved": "2025-12-15T10:00:16.553Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:56.303Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n faltante en wpeverest User Registration user-registration permite Explotar Niveles de Seguridad de Control de Acceso Mal Configurados. Este problema afecta a User Registration: desde n/a hasta &lt;= 4.4.6."}], "id": "CVE-2025-67956", "lastModified": "2026-04-29T10:16:52.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:05.150", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:58:14.359500+00:00", "value": {"mitigation_remediation": ["Upgrade the WordPress User Registration plugin to any version newer than 4.4.6, if a patch is available from wpeverest.", "If an update is not immediately available, disable the plugin\u2019s public registration endpoints or restrict access to the registration pages to trusted IP addresses.", "Verify that all access control configurations for user roles and capabilities are correctly defined and enforce the principle of least privilege."], "summary": {"action": "Patch Immediately", "impact": "Unprivileged Access"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress User Registration plugin sold by wpeverest, specifically all versions up to and including 4.4.6. Sites running any of these versions are at risk, while newer releases are presumed to have a fix.", "description_and_impact": "The vulnerability is a missing authorization flaw in the WordPress User Registration plugin that allows attackers to exploit incorrectly configured access control security levels. This broken access control can enable unauthorized users to perform actions that should be restricted, potentially leading to the creation, modification, or deletion of user accounts and sensitive data. The weakness is identified as CWE\u2011862, highlighting a failure to enforce proper permissions.", "risk_and_exploitability": "With a CVSS score of 8.2 the vulnerability is considered high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin\u2019s public-facing registration interface, where an attacker may submit crafted requests to perform unauthorized actions. Mitigation requires removing or patching the vulnerable code."}}}}, "created": "2026-01-23T16:31:03.326364+00:00", "updated": "2026-04-28T10:00:06.507559+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpeverest", "wpeverest$PRODUCT$user_registration"]}