I’ve been spending a lot of time recently looking at how different WordPress plugins handle user registration. It’s a common requirement for my clients, but it’s also a massive surface area for security issues if not handled correctly. This morning, I’ve been digging into a particularly nasty vulnerability in the “User Registration & Membership” plugin (slug: user-registration).
If you’re using this plugin, you need to check your version immediately. Versions up to and including 5.1.2 have a flaw that allows anyone – without an account – to create a new user and make themselves a site administrator.
The problem with open AJAX endpoints
The issue stems from how the plugin handles membership registrations via AJAX. In the affected versions, the register_member action was hooked to both the standard and the “nopriv” (unauthenticated) AJAX actions in WordPress.
This isn’t necessarily a bug on its own, as you often want logged-out users to be able to register. However, the problem lies in what the AJAX handler does with the data it receives.
The plugin processes a `members_data` JSON string from the POST request. In version 5.1.2, the code that prepares this data was far too trusting. It would look for a `role` field in the JSON and, if found, it would sanitise it and pass it right along to the user creation logic.
Escalating privileges
Because the role wasn’t validated against a whitelist or restricted based on the user’s current permissions, an attacker could simply include “role”: “administrator” in their registration request.
When the plugin then calls its internal `update_user_meta` method, it creates the user and sets their role exactly as requested:
// modules/membership/includes/Admin/Services/MembersService.php
public function update_user_meta( $data, $new_user_id ) {
$user = new \WP_User( $new_user_id );
$user->set_role( $data['role'] );
// ...
}This is about as direct as a privilege escalation gets. No complex memory corruption or SQL injection required; just a specific key-value pair in a JSON payload and you’ve got full administrative control over the site.
How to check if you’re at risk
You should check your installed plugins list for “User Registration & Membership”. If you are running version 5.1.2 or older, you are vulnerable.
I’d also recommend checking your users list for any unexpected administrator accounts that have been created recently. You can use WP-CLI to quickly list all administrators:
# List all administrator users wp user list --role=administrator
If you see someone there you don’t recognise, especially if their registration date matches a suspicious gap in your logs, you’ve likely been hit.
What to do next
The fix is straightforward: update the plugin to version 5.1.5 or later.
In the patched versions, the developers added a “context” check. When a registration comes from the frontend, the plugin now ignores any role sent in the request and instead pulls the correct role from the specific membership plan settings. They’ve also beefed up the security of the user creation process with HMAC-SHA256 hashes to prevent other types of manipulation.