What the vulnerability does
01Description
The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.
Explanation of Vulnerability in Simple Terms
02Summary
The User Registration & Membership plugin for WordPress contains an open redirect vulnerability in versions up to 5.1.4. An attacker can craft a malicious link that redirects users to an external website after they interact with the plugin. This can be used to phish credentials or distribute malware. The vulnerability requires user interaction—the victim must click the crafted link.
What an attacker can do
03Attacker Capabilities
Redirect users to a malicious external website via a crafted link.
Potential impact on your site
04Site Impact
Users may be redirected to phishing or malware sites, damaging trust and potentially compromising user credentials.
Conditions required to exploit
05Prerequisites
User must click an attacker-crafted link; no authentication required.
Key dates
06Disclosure timeline
April 13, 2026
CVE published
April 24, 2026
Record updated