WPEverest User Registration for WordPress
Approved changes feed: RSS · Atom
cpe:2.3:a:wpeverest:user_registration:-:*:*:*:*:wordpress:*:*
part: a version: - update: *
| Vendor | Wpeverest (893868fd-7465-5174-8b2f-d1079aaa15d0) |
|---|---|
| Product | User Registration (2bb64de2-ffd5-591a-9862-99d8cb309736) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | wordpress |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-2417 |
vulnerable | 2026-06-03 14:55:29.190800 |
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.1.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
HIGH (8.8)
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the form_save_action() function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the registration form and make the default registration role administrator. This subsequently allows the attacker to register an account as an administrator on the site.
Published: 2024-05-02T16:52:41.534Z
Updated: 2026-04-08T17:24:49.700Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3343 |
vulnerable | 2026-06-03 14:52:40.540108 |
User Registration <= 3.0.1 - Authenticated (Subscriber+) PHP Object Injection
HIGH (8.8)
The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Published: 2023-07-13T02:04:14.751Z
Updated: 2026-04-08T16:45:58.372Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3342 |
vulnerable | 2026-06-03 14:52:40.537141 |
User Registration <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Upload
CRITICAL (9.9)
The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.
Published: 2023-07-13T02:04:15.320Z
Updated: 2026-04-08T17:14:07.557Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.