Security Alert Summary
The User Registration & Membership plugin for WordPress contains an open redirect vulnerability in versions up to and including 5.1.4. A user-supplied URL passed via the redirect_to_on_logout GET parameter is redirected using wp_redirect() instead of the domain-restricted wp_safe_redirect(). Although esc_url_raw() is applied, it does not limit redirects to the local domain, allowing crafted links to redirect users to external sites after logout, which could be used to facilitate phishing attacks.
CVE Details
- CVE ID: CVE-2026-6203
- Affected component: User Registration & Membership plugin for WordPress
- Affected versions: Versions up to and including 5.1.4
- Published: April 13, 2026 11:16:28 PM UTC
- Last modified: April 13, 2026 11:16:28 PM UTC
- CVSS v3.1: Base score 6.1 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Authentication requirements: None (no authentication required)
- Privileges required: None
- User interaction: Required
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness ID: CWE-601 (Open Redirect)
Technical Details
The vulnerability is an open redirect caused by insufficient validation of a user-supplied URL. The plugin accepts a redirect_to_on_logout GET parameter and passes it to WordPress’ wp_redirect() function. Instead of using the domain-restricted wp_safe_redirect(), the plugin relies on esc_url_raw() to sanitize the value. While esc_url_raw() removes malformed or dangerous characters, it does not enforce that the redirect target remains on the local domain.
This allows an attacker to craft a logout link containing an external URL that will be followed after a user logs out. Because the redirect occurs after logout and no authentication or specific privileges are required to trigger the redirect, an attacker can use social engineering to lure users to the crafted URL and redirect them to a malicious site, increasing the risk of phishing.
How This Could Impact Your Website
Consider a site with multiple users: a site owner who manages plugins, internal staff members who have editor access, and an external contractor who occasionally logs in to update content. An attacker could send a crafted logout link to staff or the contractor that appears legitimate. After the recipient follows the link and logs out, they could be redirected to a malicious page designed to harvest credentials or perform social engineering.
Practical consequences include exposure to targeted phishing, potential credential harvesting on external sites, and erosion of user trust if staff or contributors are redirected to hostile pages after routine actions. The technical impact is consistent with the CVSS ratings: primarily limited confidentiality and integrity effects rather than direct site takeover.
If you
re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and editor accounts that do not need elevated access.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and logs for unusual behavior, including unexpected redirects or repeated logout events triggered from external links.
If you
like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.4/includes/functions-ur-template.php#L39
- https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-template.php#L39
- https://www.wordfence.com/threat-intel/vulnerabilities/id/020bed37-9544-49b7-941d-3b7f509fdfdf?source=cve
