Skip to main content

User Registration CVE-2026-52701

| EUVDEUVD-2026-39782 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-252c-7783-4v3h
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable unauthenticated endpoint with no user interaction; limited read/write impact on plugin data only, no availability or scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:06 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in User Registration <= 5.2.2 versions.

AnalysisAI

Broken access control in the WordPress User Registration plugin (versions <= 5.2.2) allows unauthenticated remote attackers to bypass authorization checks and access or manipulate functionality restricted to privileged users. The flaw stems from missing authorization (CWE-862) on one or more plugin endpoints, permitting network-accessible exploitation with no credentials or user interaction required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WordPress site with User Registration plugin
Exploit
Send unauthenticated HTTP request to AJAX endpoint
Execution
Bypass missing authorization check
Impact
Read or modify restricted registration data

Vulnerability AssessmentAI

Exploitation No authentication is required - CVSS PR:N confirms exploitation by unauthenticated remote users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 6.5 (Medium) reflects a network-accessible, unauthenticated, low-complexity flaw with limited confidentiality and integrity impact (C:L/I:L/A:N) and no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a crafted HTTP POST request to the WordPress AJAX endpoint targeting a plugin action that lacks a capability or authentication check. The server processes the request without verifying identity, allowing the attacker to read user-related data or trigger registration-related write operations that should require elevated privileges. …
Remediation Update the User Registration plugin to a version beyond 5.2.2 as soon as the vendor releases a patched build; check the WordPress plugin repository (wordpress.org/plugins/user-registration) or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-plugin-5-1-5-broken-access-control-vulnerability for the confirmed fixed version number, which is not independently confirmed in the available intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy