Cross-Site Request Forgery Vulnerability in User Registration Plugin by WordPress
CVE-2025-14976

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vendor: CVE Published:; 10 January 2026

What is CVE-2025-14976?

The User Registration & Membership Plugin for WordPress is susceptible to a Cross-Site Request Forgery due to improper nonce validation within the 'process_row_actions' functionality. This vulnerability allows unauthenticated attackers to potentially execute arbitrary actions on behalf of a site administrator, such as deleting posts, merely by tricking them into clicking a malicious link. The flaw exists in all versions up to and including 4.4.8, highlighting the importance of a comprehensive review of site permissions and nonce usage.

Affected Version(s)

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 0 <= 4.4.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/user-registrat...

https://plugins.trac.wordpress.org/changeset/3435099/user...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Dec 19, 2025

Credit

Youcef Hamdani

CVE-2025-14976 Data

JSON