CVE-2026-25425: WordPress User Registration plugin <= 5.1.2 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability affects the ThemeGrill User Registration WordPress plugin at version 5.1.2 and below. The flaw is reachable over the network without any authentication, meaning any remote caller can trigger it without holding a WordPress account. Successful exploitation causes a complete denial of service against the affected functionality, crashing or disabling the service entirely. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in registries and CI pipelines. Coverage includes custom-built images that bundle the User Registration plugin directly.
AvailableHarborGuard scores this finding at CVSS 7.5 HIGH per the v3.1 vector and weights it further against each customer environment's compliance policy to determine urgency. Triage results are routed to the inbox configured for the responsible team inside each customer organization.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ThemeGrill ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is needed.
- AuthenticationNot required
No WordPress account or session token of any privilege level is needed to trigger the vulnerability.
- Victim interactionNot required
No user action such as clicking a link or opening a page is required; the attacker acts entirely on their own.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental setup is required.
Blast Radius
- Crashes or disables the User Registration plugin's service, making registration-dependent functionality unavailable to legitimate users.
- Availability of the affected WordPress site's user onboarding flow is fully disrupted for the duration of an attack.
- No confidentiality or data-integrity impact is indicated; attacker cannot read or modify stored data through this vector.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix version exists for CVE-2026-25425, HarborGuard monitors the Patchstack advisory and the ThemeGrill release feed on every ingest cycle. When ThemeGrill publishes a patched release, a rebuilt image at the fix version becomes available automatically. For customers with auto-remediation enabled, a regression test run and a PR against affected workloads are opened without manual intervention. In the interim, compensating controls worth evaluating include network-policy rules that restrict unauthenticated external access to the WordPress registration endpoint, web application firewall rules that rate-limit or challenge requests to the registration route, and feature-flag or plugin-deactivation options if user registration is not actively required in a given environment.
- ThemeGrill / User Registration≤ 5.1.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H