CVE-2026-6203 MEDIUM

CVE-2026-6203: User Registration & Membership <= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter

Vendor Wpeverest
Product User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Weakness CWE-601 · Open redirect
Published April 13, 2026
Last update April 24, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.

Explanation of Vulnerability in Simple Terms

02Summary

The User Registration & Membership plugin for WordPress contains an open redirect vulnerability in versions up to 5.1.4. An attacker can craft a malicious link that redirects users to an external website after they interact with the plugin. This can be used to phish credentials or distribute malware. The vulnerability requires user interaction—the victim must click the crafted link.

What an attacker can do

03Attacker Capabilities

Redirect users to a malicious external website via a crafted link.

Potential impact on your site

04Site Impact

Users may be redirected to phishing or malware sites, damaging trust and potentially compromising user credentials.

Conditions required to exploit

05Prerequisites

User must click an attacker-crafted link; no authentication required.

Key dates

06Disclosure timeline

April 13, 2026 CVE published
April 24, 2026 Record updated