Privilege Escalation Vulnerability in Themehunk Login Registration Plugin for WordPress
CVE-2026-14250

6.3MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
8 July 2026

What is CVE-2026-14250?

The Themehunk Login Registration plugin for WordPress contains a vulnerability that allows unauthenticated attackers to escalate privileges. This flaw is due to the handle_frontend_register() function, which improperly handles the 'role' parameter in the REST endpoint /thlogin/v1/register. The function only validates this parameter against get_editable_roles(), allowing attackers to register new user accounts with elevated roles, such as 'editor', when public user registration is enabled. This oversight can lead to unauthorized access and control over various site functionalities.

Affected Version(s)

TH Login Registration 0 <= 1.0.2

References

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Trung Huynh Chi
.