Skip to main content

User Registration CVE-2026-32488

| EUVDEUVD-2026-15830 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-03-25 Patchstack GHSA-9hpg-mwp6-rhmw
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15830
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.1

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9.

AnalysisAI

A privilege escalation vulnerability exists in the wpeverest User Registration WordPress plugin through version 4.4.9 due to incorrect privilege assignment (CWE-266). This flaw allows authenticated or unauthenticated attackers to escalate their privileges within the plugin, potentially gaining administrative access or elevated capabilities. No CVSS score, EPSS data, or KEV status has been published, limiting quantification of real-world exploitation risk, though the vulnerability was reported by Patchstack and affects all installations running version 4.4.9 or earlier.

Technical ContextAI

The wpeverest User Registration plugin (CPE: cpe:2.3:a:wpeverest:user_registration:*:*:*:*:*:*:*:*) is a WordPress plugin that manages user registration workflows and capabilities. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a category of flaws where the application fails to properly restrict user capabilities or roles. This occurs when the plugin assigns roles, permissions, or capabilities without adequate validation, allowing users to claim privileges they should not possess. The affected component likely resides in the role/capability assignment logic during user registration, profile updates, or administrative functions, enabling horizontal or vertical privilege escalation depending on the attack vector.

RemediationAI

Immediately upgrade the wpeverest User Registration plugin to a version newer than 4.4.9 (monitor vendor release notes at https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability for available patches). Until patching is completed, enforce strict role-based access control (RBAC) policies through WordPress user capabilities filtering, restrict plugin functionality to trusted user roles via code or configuration, and consider temporarily disabling user self-registration features if the vulnerability is tied to that code path. Review and audit existing user accounts for unexpected privilege escalation, and monitor login logs for suspicious privilege-escalation attempts. If immediate patching is delayed, consider temporarily deactivating the plugin or using a Web Application Firewall (WAF) to rate-limit or block requests to plugin endpoints.

Share

CVE-2026-32488 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy