CVE-2024-4958
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.2.0.1 - Missing Authorization to Privilege Escalation
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_form_action' function in versions up to, and including, 3.2.0.1. This makes it possible for authenticated attackers, with contributor-level permissions and above, to import a registration form with a default user role of administrator. If an administrator approves or publishes a post or page with the shortcode to the imported form, any user can register as an administrator.
| CWE | CWE-862 |
| Vendor | wpeverest |
| Product | user registration & membership – free & paid memberships, subscriptions, content restriction, user profile, custom user registration & login builder |
| Published | Jun 1, 2024 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for wpeverest user registration & membership – free & paid memberships, subscriptions, content restriction, user profile, custom user registration & login builder
Be the first to know when new high vulnerabilities affecting wpeverest user registration & membership – free & paid memberships, subscriptions, content restriction, user profile, custom user registration & login builder are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H