Share
## https://sploitus.com/exploit?id=48174569-B840-527F-84DC-3A342D955C0A
# CVE-2026-6145 โ€” User Registration & Membership for WordPress: Unauthenticated Admin Approval Bypass

> Proof-of-concept exploit for **CVE-2026-6145**, a missing authorization vulnerability in the *User Registration & Membership* plugin for WordPress (โ‰ค 5.1.5) that allows unauthenticated attackers to bypass the admin approval requirement when creating new accounts.

[![CVE](https://img.shields.io/badge/CVE-2026--6145-red.svg)](https://nvd.nist.gov/vuln/detail/CVE-2026-6145)
[![CVSS](https://img.shields.io/badge/CVSS%203.1-5.3%20Medium-yellow.svg)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
[![CWE](https://img.shields.io/badge/CWE-862-blue.svg)](https://cwe.mitre.org/data/definitions/862.html)
[![License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)

---

## Summary

| | |
|---|---|
| **CVE ID** | CVE-2026-6145 |
| **CNA** | Wordfence |
| **Vulnerability** | Missing Authorization โ€” Admin Approval Bypass |
| **CWE** | [CWE-862](https://cwe.mitre.org/data/definitions/862.html) (Missing Authorization) |
| **CVSS 3.1** | 5.3 Medium (`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`) |
| **Affected** | User Registration & Membership for WordPress โ€” all versions **โ‰ค 5.1.5** |
| **Patched** | Version **> 5.1.5** |
| **Researcher** | Anthony Cihan โ€” Offensive Security Lead, [Obviam](https://obviam.com) |
| **Disclosure** | Wordfence Responsible Disclosure Program |
| **Published** | 2026-05-14 |

---

## Vulnerability Details

### Root Cause

The `is_admin_creation_process()` method in `includes/class-ur-user-approval.php` is the sole gate determining whether a new registration should be treated as an administrator-initiated creation. When this method returns `true`, two side effects occur:

- `set_user_status()` sets the new user's status to **APPROVED**, skipping the pending-approval queue.
- `send_request_notification_to_admin()` **suppresses the admin notification email** for the new registration.

The method itself, in version 5.1.5, contains no authentication, authorization, or nonce verification:

```php
// includes/class-ur-user-approval.php:459-461
protected function is_admin_creation_process() {
    return ( isset( $_REQUEST['action'] ) && 'createuser' == $_REQUEST['action'] );
}
```

Because `$_REQUEST` merges `$_GET`, `$_POST`, and `$_COOKIE`, an unauthenticated attacker can satisfy this check by adding `?action=createuser` to the URL of a registration form submission. The plugin then auto-approves the account and never alerts the administrator.

### Exploitation Chain

While CVE-2026-6145 specifically addresses the missing authorization in `is_admin_creation_process()`, full unauthenticated exploitation against a hardened registration form requires chaining it with two ancillary issues in the same plugin version, both of which the included PoC handles automatically:

| Step | Issue | Purpose |
|------|-------|---------|
| 1 | Unauthenticated nonce generation via the `user_registration_get_recent_nonce` `wp_ajax_nopriv` endpoint (Referer-only check) | Obtain a valid `ur_frontend_form_nonce` without an authenticated session |
| 2 | AJAX nonce check bypass when `ur_fallback_submit` is non-empty in the form handler | Submit registration via the fallback path without a valid AJAX referer |
| 3 | **CVE-2026-6145** โ€” `action=createuser` in `$_REQUEST` flips `is_admin_creation_process()` to `true` | Auto-approve the new account and suppress admin notification |

The result: a fully approved user account, created without administrator interaction or notification, on a site that explicitly requires admin approval for new registrations.

---

## Proof of Concept

### Requirements

- Python 3.8+
- `requests` library
- A test target running User Registration & Membership โ‰ค 5.1.5 with:
  - Registration enabled
  - Admin approval login option enabled
  - A known registration form ID (visible in the form's page source as `data-form-id`)

### Installation

```bash
git clone https://github.com//CVE-2026-6145.git
cd CVE-2026-6145
pip install requests
```

### Usage

```bash
python3 poc_admin_approval_bypass.py  
```

Example:

```bash
python3 poc_admin_approval_bypass.py http://wp.example.lab 7
```

### Expected Output

```
======================================================================
  User Registration v5.1.4 - Admin Approval Bypass PoC
  CVE: 2026-6145 | CWE-862
  Affects: User Registration & Membership  5.1.5 | Patched |

---

## Remediation

### For Site Administrators

1. **Update immediately** to the latest version of *User Registration & Membership* (> 5.1.5).
2. Audit `Users โ†’ All Users` for unexpected approved accounts created since the vulnerable version was installed. Pay particular attention to accounts with no corresponding admin notification email.
3. Rotate credentials and review activity for any suspicious accounts identified.
4. If immediate update is not possible, **disable public registration** in WordPress settings as a temporary mitigation.

### For Developers / Code Reference

The vulnerable method should require both a capability check and a valid nonce:

```php
protected function is_admin_creation_process() {
    return current_user_can( 'create_users' )
        && isset( $_REQUEST['action'] )
        && 'createuser' === $_REQUEST['action']
        && isset( $_REQUEST['_wpnonce_create-user'] )
        && wp_verify_nonce(
               wp_unslash( $_REQUEST['_wpnonce_create-user'] ),
               'create-user'
           );
}
```

---

## Disclosure Timeline

| Date | Event |
|------|-------|
| 2026-03-09 | Vulnerability identified during authorized security audit of plugin v5.1.4 |
| 2026-03-09 | Initial report submitted to Wordfence Responsible Disclosure Program |
| 2026-04-12 | CVE-2026-6145 reserved by Wordfence (CNA) |
| 2026-05-14 | Vendor patched version published; CVE-2026-6145 published |
| 2026-05-14 | This PoC released coordinated with public advisory |

---

## References

- [Wordfence Advisory โ€” CVE-2026-6145](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-515-unauthenticated-missing-authorization-to-admin-approval-bypass-via-action-parameter)
- [NVD โ€” CVE-2026-6145](https://nvd.nist.gov/vuln/detail/CVE-2026-6145)
- [CWE-862: Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)
- [WordPress Plugin Repository โ€” User Registration & Membership](https://wordpress.org/plugins/user-registration/)

### Related Vulnerabilities in the Same Plugin

Researchers tracking this plugin's authorization model may also be interested in:

- CVE-2026-1492 โ€” Unauthenticated Privilege Escalation (โ‰ค 5.1.2)
- CVE-2026-1779 โ€” Authentication Bypass via `register_member` (โ‰ค 5.1.2)
- CVE-2026-4056 โ€” Broken Access Control on Content Access Rules REST API (5.0.1 โ€“ 5.1.4)
- CVE-2026-6203 โ€” Unauthenticated Open Redirect (โ‰ค 5.1.4)

---

## Credits

**Research, discovery, and PoC development:**

**Anthony Cihan**
Offensive Security Lead โ€” [Obviam](https://obviam.com)

If you reference this work, please cite **CVE-2026-6145** with attribution to *Anthony Cihan / Obviam*.

---

## Legal and Ethical Notice

This proof-of-concept is published **for defensive research, detection engineering, and authorized security testing only**. It is intended to assist:

- WordPress site administrators verifying patch deployment
- Security vendors developing detection signatures and WAF rules
- Researchers studying authorization-control patterns in WordPress plugins
- Educators and students in offensive and defensive security programs

The original research was conducted in an **authorized lab environment** under signed agreement, with coordinated disclosure to the vendor via the Wordfence Responsible Disclosure Program prior to public release.

**Running this PoC against any system you do not own or do not have explicit written authorization to test is illegal** under the U.S. Computer Fraud and Abuse Act (18 U.S.C. ยง 1030), the U.K. Computer Misuse Act 1990, the E.U. Directive 2013/40/EU, and equivalent legislation in most jurisdictions. The author and Obviam disclaim all liability for misuse of this code.

By using this repository you acknowledge that you have read, understood, and accepted these terms.

---

## License

Released under the [MIT License](LICENSE). Attribution required per the credits section above.