Wpeverest User Registration vulnerabilities
14 known vulnerabilities affecting wpeverest/user_registration.
Total CVEs
14
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2026-32488HIGHCVSS 8.1≥ n/a, ≤ <= 4.4.92026-03-25
CVE-2026-32488 [HIGH] CWE-266 CVE-2026-32488: Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows
Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9.
cvelistv5nvd
CVE-2026-24353HIGHCVSS 8.1≤ 4.4.92026-01-22
CVE-2026-24353 [HIGH] CWE-862 CVE-2026-24353: Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiti
Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.9.
cvelistv5nvd
CVE-2025-67956HIGHCVSS 8.2≤ 4.4.62026-01-22
CVE-2025-67956 [HIGH] CWE-862 CVE-2025-67956: Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiti
Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6.
cvelistv5nvd
CVE-2025-39400MEDIUMCVSS 6.1≤ 4.2.02025-04-24
CVE-2025-39400 [MEDIUM] CWE-79 CVE-2025-39400: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration user-registration allows Reflected XSS.This issue affects User Registration: from n/a through < 4.2.0.
cvelistv5nvd
CVE-2025-30899MEDIUMCVSS 4.8≤ 4.0.32025-03-27
CVE-2025-30899 [MEDIUM] CWE-79 CVE-2025-30899: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration user-registration allows Stored XSS.This issue affects User Registration: from n/a through <= 4.0.3.
cvelistv5nvd
CVE-2025-1511MEDIUMCVSS 6.1fixed in 4.1.02025-02-28
CVE-2025-1511 [MEDIUM] CWE-79 CVE-2025-1511: The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin f
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbi
nvd
CVE-2023-29429MEDIUMCVSS 5.3fixed in 2.3.3≥ n/a, ≤ 2.3.2.12024-12-09
CVE-2023-29429 [MEDIUM] CWE-862 CVE-2023-29429: Missing Authorization vulnerability in WPEverest User Registration allows Exploiting Incorrectly Con
Missing Authorization vulnerability in WPEverest User Registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through 2.3.2.1.
cvelistv5nvd
CVE-2023-27459HIGHCVSS 8.8≥ n/a, ≤ 2.3.2.12024-03-26
CVE-2023-27459 [HIGH] CWE-502 CVE-2023-27459: Deserialization of Untrusted Data vulnerability in WPEverest User Registration.This issue affects Us
Deserialization of Untrusted Data vulnerability in WPEverest User Registration.This issue affects User Registration: from n/a through 2.3.2.1.
cvelistv5nvd
CVE-2023-5228MEDIUMCVSS 4.8fixed in 3.0.4.22023-11-06
CVE-2023-5228 [MEDIUM] CWE-79 CVE-2023-5228: The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its setti
The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
nvd
CVE-2023-3342CRITICALCVSS 9.9fixed in 3.0.2.12023-07-13
CVE-2023-3342 [CRITICAL] CWE-434 CVE-2023-3342: The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcode
The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files
nvd
CVE-2023-3343HIGHCVSS 8.8≤ 3.0.12023-07-13
CVE-2023-3343 [HIGH] CWE-502 CVE-2023-3343: The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to,
The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If
nvd
CVE-2023-23987MEDIUMCVSS 4.8fixed in 2.3.1≥ n/a, ≤ 2.3.02023-04-06
CVE-2023-23987 [MEDIUM] CWE-79 CVE-2023-23987: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPEverest User Registration plugin
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPEverest User Registration plugin <= 2.3.0 versions.
cvelistv5nvd
CVE-2022-3912HIGHCVSS 7.5fixed in 2.2.4.12022-12-12
CVE-2022-3912 [HIGH] CWE-434 CVE-2022-3912: The User Registration WordPress plugin before 2.2.4.1 does not properly restrict the files to be upl
The User Registration WordPress plugin before 2.2.4.1 does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload PHP files for example.
nvd
CVE-2021-24654MEDIUMCVSS 5.4fixed in 2.0.22021-10-04
CVE-2021-24654 [MEDIUM] CWE-79 CVE-2021-24654: The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration
The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed
nvd