How is CVE-2026-49081 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS. Authentication (not-required): No account or session credential of any kind is needed; the attacker sends unauthenticated requests directly to the affected endpoint. Victim interaction (not-required): The attack is entirely server-side and requires no action from any user or administrator of the WordPress site. Attack complexity (info): Exploit complexity is low, meaning the attack is reliable and requires no special timing, race conditions, or environmental prerequisites.

What is the impact of CVE-2026-49081?

An unauthenticated attacker can read a limited subset of application data exposed through the broken access control endpoint. An attacker can make high-impact unauthorized modifications to protected data or plugin-controlled records, such as altering registration configurations, subscription states, or Stripe-linked user data. Because integrity impact is rated high, an attacker may be able to manipulate payment or registration workflows in ways that affect business logic downstream.

Back to search

HIGHCVE-2026-49081Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-49081: WordPress User Registration Stripe plugin <= 1.3.12 - Broken Access Control vulnerability

Q: What is CVE-2026-49081?

A broken access control vulnerability affects the User Registration Stripe plugin for WordPress, versions 1.3.12 and earlier. The flaw is reachable over the network without any authentication, meaning any external attacker can send crafted requests to the affected endpoint. Successful exploitation gives an attacker the ability to read limited data and perform high-impact unauthorized writes or modifications to protected functionality. No fix version has been published; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is released.

Q: Is CVE-2026-49081 patched?

Because no fix version has been published, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild becomes available, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically.

Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A broken access control vulnerability affects the User Registration Stripe plugin for WordPress, versions 1.3.12 and earlier. The flaw is reachable over the network without any authentication, meaning any external attacker can send crafted requests to the affected endpoint. Successful exploitation gives an attacker the ability to read limited data and perform high-impact unauthorized writes or modifications to protected functionality. No fix version has been published; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images that include the User Registration Stripe plugin, including custom-built WordPress images. Any image carrying a version at or below 1.3.12 of the affected plugin is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this finding at CVSS 8.2 (HIGH) using the published v3.1 vector, and per-environment compliance policy weighting is applied to prioritize routing within each customer org. Triage alerts are delivered to the inbox or ticketing integration configured for the affected workload, ensuring the right team sees the finding without manual filtering.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild becomes available, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS.
AuthenticationNot required
No account or session credential of any kind is needed; the attacker sends unauthenticated requests directly to the affected endpoint.
Victim interactionNot required
The attack is entirely server-side and requires no action from any user or administrator of the WordPress site.
Attack complexityDetail
Exploit complexity is low, meaning the attack is reliable and requires no special timing, race conditions, or environmental prerequisites.

Blast Radius

An unauthenticated attacker can read a limited subset of application data exposed through the broken access control endpoint.
An attacker can make high-impact unauthorized modifications to protected data or plugin-controlled records, such as altering registration configurations, subscription states, or Stripe-linked user data.
Because integrity impact is rated high, an attacker may be able to manipulate payment or registration workflows in ways that affect business logic downstream.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49081 is active and will flag any image containing User Registration Stripe at or below version 1.3.12 across registry scans and pipeline checks. Because no upstream fix exists as of the CVE publication date, HarborGuard monitors the Patchstack advisory and the ThemeGrill plugin repository on every ingest cycle. In the interim, compensating controls are worth considering: network-policy rules that restrict access to the WordPress installation to known trusted origins, web application firewall rules targeting the vulnerable endpoint path, and disabling the Stripe registration feature flag if the plugin exposes one. For customers who opt into auto-remediation, a patched-image rebuild, regression-test run, and PR against affected workloads will be triggered automatically the moment an upstream fix is published, with no manual intervention required.

See how HarborGuard automates this

Affected packages

ThemeGrill / User Registration Stripe
≤ 1.3.12

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

patchstack.com

Metrics

Get notified