H3-2026-0041¶
WordPress User Registration Enabled
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 5.3 |
Description¶
The WordPress user registration page is publicly accessible, allowing unauthenticated users to create accounts on the site. Depending on the default role assigned to new users, and on installed plugins, this can provide an initial foothold for authenticated-user attacks.
Impact¶
An attacker can create a user account on the WordPress site. With a valid account, they can access authenticated endpoints, exploit post-authentication vulnerabilities in plugins and themes, and potentially escalate privileges depending on the default user role configuration.