Skip to main content

Th Login Registration CVE-2026-14250

| EUVDEUVD-2026-42217 MEDIUM
Improper Privilege Management (CWE-269)
2026-07-08 Wordfence GHSA-qwpf-8g3r-53wg
6.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
8.2 HIGH

REST endpoint is explicitly unauthenticated per description (PR:N); editor role grants full site content control (I:H); no direct availability impact from account creation.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 12:46 vuln.today
CVE Published
Jul 08, 2026 - 11:30 nvd
MEDIUM 6.3

DescriptionCVE.org

The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter and validating it only against get_editable_roles() - which returns every defined editable site role, including 'editor' - before passing it to wp_insert_user(). This makes it possible for unauthenticated attackers, when public user registration is enabled, to create new accounts with the editor role.

AnalysisAI

Privilege escalation in the Themehunk Login Registration WordPress plugin (versions up to and including 1.0.2) allows unauthenticated attackers to self-register accounts with elevated roles - including editor - by supplying an arbitrary 'role' parameter to the publicly exposed /thlogin/v1/register REST endpoint. The handle_frontend_register() function validates the supplied role only against get_editable_roles(), which returns every administratively configurable role on the site, then passes it directly to wp_insert_user() without restricting it to the subscriber level expected for public self-registration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with plugin active
Delivery
Confirm public user registration is enabled
Exploit
Send unauthenticated POST to /thlogin/v1/register with role=editor
Execution
Plugin validates role via get_editable_roles() and accepts it
Persist
wp_insert_user() creates account with editor privileges
Impact
Attacker logs in and gains full site content management access

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site have public user registration explicitly enabled under Settings > General (the 'Anyone can register' checkbox) - this is disabled by default in WordPress and is the single gating prerequisite; sites without it are not exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, score 6.3) contains a direct conflict with the CVE description: PR:L implies low-privilege authentication is required, yet the description explicitly identifies the REST endpoint as unauthenticated and states exploitation requires no prior account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site with the Themehunk Login Registration plugin active and public user registration enabled, then sends a single unauthenticated HTTP POST to /wp-json/thlogin/v1/register with a JSON body including 'role': 'editor' alongside required registration fields. The plugin's get_editable_roles() check permits the value, wp_insert_user() creates the account at editor level, and the attacker immediately logs in to edit, publish, or delete all site content. …
Remediation A code change has been committed to the WordPress Plugin SVN repository (changeset 3592690, referenced in the advisory), but no specific patched release version number has been confirmed in the available data - monitor the WordPress Plugin Directory for a version above 1.0.2 and verify its changelog explicitly addresses the role restriction in handle_frontend_register() before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14250 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy