Privilege Escalation Vulnerability in Themehunk Login Registration Plugin for WordPress
CVE-2026-14250
6.3MEDIUM
What is CVE-2026-14250?
The Themehunk Login Registration plugin for WordPress contains a vulnerability that allows unauthenticated attackers to escalate privileges. This flaw is due to the handle_frontend_register() function, which improperly handles the 'role' parameter in the REST endpoint /thlogin/v1/register. The function only validates this parameter against get_editable_roles(), allowing attackers to register new user accounts with elevated roles, such as 'editor', when public user registration is enabled. This oversight can lead to unauthorized access and control over various site functionalities.
Affected Version(s)
TH Login Registration 0 <= 1.0.2