CVE-2026-54807: WordPress Registration Form for WooCommerce plugin <= 1.0.9 - Privilege Escalation vulnerability

Synopsis

An unauthenticated privilege escalation vulnerability affects the Registration Form for WooCommerce WordPress plugin by ThemeGrill at versions 1.0.9 and below. The flaw is reachable over the network without any credentials, meaning any internet-facing WordPress site running the plugin is exposed. Successful exploitation lets an attacker elevate their privileges within the WordPress installation, gaining read, write, and availability control over the affected site. No upstream fix has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must reach the WordPress service over the network; any internet-facing instance is directly exposed.

• AuthenticationNot required

  No credentials of any kind are needed; the exploit is available to anonymous, unauthenticated requests.

• Victim interactionNot required

  No action from a logged-in user or site visitor is required to trigger the vulnerability.

• Attack complexityDetail

  Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

Blast Radius

• An attacker gains elevated privileges within the WordPress installation, enabling full administrative access to site content, settings, and user accounts.
• With high integrity impact, the attacker can create, modify, or delete posts, pages, plugins, and user records stored in the WordPress database.
• With high confidentiality impact, the attacker reads stored user data, credentials, order records, and any WooCommerce customer information held in the database.
• With high availability impact, the attacker can disable the site, remove critical content, or deactivate plugins and themes, taking the storefront offline.