{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6203", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-13T09:51:20.465Z", "datePublished": "2026-04-13T22:25:54.316Z", "dateUpdated": "2026-04-24T19:30:44.119Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T19:30:44.119Z"}, "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks."}], "title": "User Registration & Membership <= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/020bed37-9544-49b7-941d-3b7f509fdfdf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-template.php#L39"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.4/includes/functions-ur-template.php#L39"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "cweId": "CWE-601", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Louis Deschanel"}, {"lang": "en", "type": "finder", "value": "Pascal SUN"}, {"lang": "en", "type": "finder", "value": "Anthony Cihan"}], "timeline": [{"time": "2026-04-13T10:06:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-13T09:51:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6203", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:44.781539Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:53.123Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6203", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:44.781539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:14.805Z"}}], "cna": {"title": "User Registration & Membership <= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Louis Deschanel"}, {"lang": "en", "type": "finder", "value": "Pascal SUN"}, {"lang": "en", "type": "finder", "value": "Anthony Cihan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-13T10:06:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-13T09:51:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/020bed37-9544-49b7-941d-3b7f509fdfdf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-template.php#L39"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.4/includes/functions-ur-template.php#L39"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T19:30:44.119Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6203", "state": "PUBLISHED", "dateUpdated": "2026-04-24T19:30:44.119Z", "dateReserved": "2026-04-13T09:51:20.465Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-13T22:25:54.316Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks."}], "id": "CVE-2026-6203", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-13T23:16:28.110", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.4/includes/functions-ur-template.php#L39"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-template.php#L39"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/020bed37-9544-49b7-941d-3b7f509fdfdf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "source": "cna", "vendor": "wpeverest"}, "product": "user_registration_&_membership_\u2013_free_&_paid_memberships,_subscriptions,_content_restriction,_user_profile,_custom_user_registration_&_login_builder", "vendor": "wpeverest"}], "analysis": {"en": {"generated_at": "2026-04-15T15:06:40.817421+00:00", "value": {"mitigation_remediation": ["Upgrade the User Registration & Membership plugin to a version newer than 5.1.4", "Disable or sanitize the 'redirect_to_on_logout' parameter by adding a WordPress filter that enforces domain\u2011restricted redirects before wp_redirect()", "Implement a security plugin or firewall rule that blocks or logs requests containing 'redirect_to_on_logout' that point to external domains, thereby preventing untrusted redirects."], "summary": {"action": "Immediate Patch", "impact": "Open Redirect after logout"}, "threat_synthesis": {"affected_systems": "WordPress websites that use the User Registration & Membership plugin version 5.1.4 or earlier are vulnerable. The plugin provides free and paid membership, subscription, content restriction, user profile, and custom registration & login features. Sites running legacy versions of the plugin are at risk until they are updated.", "description_and_impact": "The User Registration & Membership plugin for WordPress contains an open redirect flaw that allows an unauthenticated attacker to influence the location users are sent to after logging out. By supplying a crafted 'redirect_to_on_logout' query parameter the request bypasses WordPress's safe redirect checks and is processed by wp_redirect(), resulting in a redirection to an arbitrary external site. This weakness corresponds to CWE\u2011601 and can be exploited to facilitate phishing or drive\u2011by infection attacks when users are tricked into following malicious links.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.1. The EPSS score is 1%. The flaw is not noted in the CISA KEV catalog. Attackers could exploit it remotely by directing users to a malicious URL after logout; this attack vector is inferred from the description because the flaw arises from an unauthenticated GET request. Successful exploitation would give an attacker the ability to lure users to phishing or malware delivery sites, compromising user trust and potentially leading to credential theft or broader compromise."}}}}, "created": "2026-04-14T16:16:59.873721+00:00", "updated": "2026-04-15T15:45:07.529049+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpeverest", "wpeverest$PRODUCT$user_registration_&_membership_\u2013_free_&_paid_memberships,_subscriptions,_content_restriction,_user_profile,_custom_user_registration_&_login_builder"]}