{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24353", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.566Z", "datePublished": "2026-01-22T16:52:43.122Z", "dateUpdated": "2026-04-28T16:14:47.666Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "user-registration", "product": "User Registration", "vendor": "wpeverest", "versions": [{"changes": [{"at": "5.0", "status": "unaffected"}], "lessThanOrEqual": "4.4.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:02.251Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects User Registration: from n/a through <= 4.4.9.</p>"}], "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.666Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress User Registration plugin <= 4.4.9 - Arbitrary Shortcode Execution vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T16:48:43.763283Z", "id": "CVE-2026-24353", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:47:25.071Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24353", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T16:48:43.763283Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:48:46.863Z"}}], "cna": {"title": "WordPress User Registration plugin <= 4.4.9 - Arbitrary Shortcode Execution vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "wpeverest", "product": "User Registration", "versions": [{"status": "affected", "changes": [{"at": "5.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.4.9"}], "packageName": "user-registration", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:02.251Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects User Registration: from n/a through <= 4.4.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.083Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24353", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:47:25.071Z", "dateReserved": "2026-01-22T14:42:24.566Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:43.122Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.9."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en wpeverest User Registration user-registration permite la explotaci\u00f3n de niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta a User Registration: desde n/a hasta &lt;= 4.4.9."}], "id": "CVE-2026-24353", "lastModified": "2026-04-28T03:16:02.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:38.910", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:01:21.749574+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest User Registration plugin (4.5 or newer) to eliminate the flaw.", "Configure the plugin to restrict shortcode execution to trusted roles such as administrators, ensuring unauthenticated or lower\u2011privilege users cannot trigger the shortcode.", "If an upgrade is not immediately possible, disable or remove the User Registration plugin or remove the shortcode functionality from the registration form until the issue is fixed."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the User Registration plugin from its earliest available version through version 4.4.9. Any WordPress installation using wpeverest\u2019s User Registration plugin up to that point is vulnerable.", "description_and_impact": "The vulnerability permits an attacker to execute arbitrary shortcodes through the User Registration plugin because the plugin\u2019s access control is incorrectly configured. This missing authorization flaw allows code to run with the privileges of the WordPress installation, potentially compromising the entire site. The weakness aligns with missing authorization (CWE\u2011862) and results in an impact of remote code execution.", "risk_and_exploitability": "With a CVSS score of 4.3 the vulnerability is deemed medium severity, yet current exploit probability is low (EPSS < 1%) and it is not listed in the CISA KEV catalog. The likely attack vector is a crafted request to the plugin\u2019s shortcode functionality, exploitable by users who can inject content or by administrators lacking proper access controls. Until a patch is applied, the risk remains moderate if an attacker can leverage the shortcode mechanism on the site."}}}}, "created": "2026-01-23T16:28:22.604773+00:00", "updated": "2026-04-28T18:15:37.350443+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpeverest", "wpeverest$PRODUCT$user_registration"]}