{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32488", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.509Z", "datePublished": "2026-03-25T16:14:58.228Z", "dateUpdated": "2026-03-25T16:14:58.228Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "user-registration", "product": "User Registration", "vendor": "wpeverest", "versions": [{"changes": [{"at": "5.1.3", "status": "unaffected"}], "lessThanOrEqual": "<= 4.4.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.053Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.<p>This issue affects User Registration: from n/a through <= 4.4.9.</p>"}], "value": "Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:58.228Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-privilege-escalation-vulnerability?_s_id=cve"}], "title": "WordPress User Registration plugin <= 4.4.9 - Privilege Escalation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9."}], "id": "CVE-2026-32488", "lastModified": "2026-03-25T17:16:59.730", "metrics": {}, "published": "2026-03-25T17:16:59.730", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-privilege-escalation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:36:47.470178+00:00", "value": {"mitigation_remediation": ["Update the User Registration plugin to version 4.5.0 or later.", "If an update cannot be applied immediately, disable or remove the plugin to prevent new registrations.", "Verify and restrict user role assignments so that only verified administrators can hold high\u2011level privileges.", "Regularly monitor user role changes and account activity for signs of unauthorized privilege escalation."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects all versions of the wpeverest User Registration plugin up to and including 4.4.9. Every WordPress site running a vulnerable version of this plugin is at risk of privilege escalation through the plugin\u2019s user registration mechanism.", "description_and_impact": "The vulnerability in the WordPress User Registration plugin results from incorrect privilege assignment, allowing an attacker to elevate a user\u2019s role beyond the intended level. By manipulating the registration process, an adversary may acquire administrator privileges, thereby gaining full control over the site\u2019s content, settings, and sensitive data. This direct breach of role boundaries enables unauthorized access and potential further exploitation of the compromised WordPress installation.", "risk_and_exploitability": "No CVSS score or EPSS value is available for this entry, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require that an attacker can submit or manipulate registration requests, which is typically possible on publicly accessible registration pages. Because the flaw permits elevation of user roles, the potential impact is high for sites that rely on the standard WordPress role hierarchy, and the risk remains significant even without documented exploitation cases."}}}}, "created": "2026-03-25T21:43:40.245446+00:00", "updated": "2026-03-25T21:43:40.245473+00:00", "vendors": []}