PatchSiren cyber security CVE debrief
CVE-2026-14250 themehunk CVE debrief
The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter and validating it only against get_editable_roles() — which returns every defined editable site role, including 'editor' — before passing it to wp_insert_user(). This makes it possible for unauthenticated attackers, when public user registration is enabled, to create new accounts with the editor role. The CVE record was published on 2026-07-08T12:17:20.200Z and has not been modified since then.
- Vendor
- themehunk
- Product
- TH Login Registration
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
WordPress users who have installed the Themehunk Login Registration plugin, version 1.0.2 or earlier, should be aware of this vulnerability and take steps to mitigate it. This includes updating the plugin to a version that fixes this vulnerability, limiting access to the WordPress REST API, and monitoring user account creations and role assignments for suspicious activity.
Technical summary
The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation due to improper validation of the 'role' parameter in the handle_frontend_register() function. This function is part of the unauthenticated /thlogin/v1/register REST endpoint and allows for the creation of new accounts with elevated privileges, specifically the 'editor' role. The plugin does not properly restrict the 'role' parameter, allowing attackers to create new accounts with the 'editor' role.
Defensive priority
High
Recommended defensive actions
- Update the Themehunk Login Registration plugin to a version that fixes this vulnerability.
- Limit access to the WordPress REST API to prevent unauthorized users from exploiting this vulnerability.
- Monitor user account creations and role assignments for suspicious activity.
- Consider implementing additional security measures, such as two-factor authentication and role-based access control.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-08T12:17:20.200Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about this vulnerability, and defenders should verify the affected scope and severity with the vendor. The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T12:17:20.200Z and has not been modified since then.