Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
REST endpoint is explicitly unauthenticated per description (PR:N); editor role grants full site content control (I:H); no direct availability impact from account creation.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter and validating it only against get_editable_roles() - which returns every defined editable site role, including 'editor' - before passing it to wp_insert_user(). This makes it possible for unauthenticated attackers, when public user registration is enabled, to create new accounts with the editor role.
AnalysisAI
Privilege escalation in the Themehunk Login Registration WordPress plugin (versions up to and including 1.0.2) allows unauthenticated attackers to self-register accounts with elevated roles - including editor - by supplying an arbitrary 'role' parameter to the publicly exposed /thlogin/v1/register REST endpoint. The handle_frontend_register() function validates the supplied role only against get_editable_roles(), which returns every administratively configurable role on the site, then passes it directly to wp_insert_user() without restricting it to the subscriber level expected for public self-registration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress site have public user registration explicitly enabled under Settings > General (the 'Anyone can register' checkbox) - this is disabled by default in WordPress and is the single gating prerequisite; sites without it are not exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, score 6.3) contains a direct conflict with the CVE description: PR:L implies low-privilege authentication is required, yet the description explicitly identifies the REST endpoint as unauthenticated and states exploitation requires no prior account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site with the Themehunk Login Registration plugin active and public user registration enabled, then sends a single unauthenticated HTTP POST to /wp-json/thlogin/v1/register with a JSON body including 'role': 'editor' alongside required registration fields. The plugin's get_editable_roles() check permits the value, wp_insert_user() creates the account at editor level, and the attacker immediately logs in to edit, publish, or delete all site content. … |
| Remediation | A code change has been committed to the WordPress Plugin SVN repository (changeset 3592690, referenced in the advisory), but no specific patched release version number has been confirmed in the available data - monitor the WordPress Plugin Directory for a version above 1.0.2 and verify its changelog explicitly addresses the role restriction in handle_frontend_register() before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42217
GHSA-qwpf-8g3r-53wg