PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14250 themehunk CVE debrief

The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter and validating it only against get_editable_roles() — which returns every defined editable site role, including 'editor' — before passing it to wp_insert_user(). This makes it possible for unauthenticated attackers, when public user registration is enabled, to create new accounts with the editor role. The CVE record was published on 2026-07-08T12:17:20.200Z and has not been modified since then.

Vendor
themehunk
Product
TH Login Registration
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

WordPress users who have installed the Themehunk Login Registration plugin, version 1.0.2 or earlier, should be aware of this vulnerability and take steps to mitigate it. This includes updating the plugin to a version that fixes this vulnerability, limiting access to the WordPress REST API, and monitoring user account creations and role assignments for suspicious activity.

Technical summary

The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation due to improper validation of the 'role' parameter in the handle_frontend_register() function. This function is part of the unauthenticated /thlogin/v1/register REST endpoint and allows for the creation of new accounts with elevated privileges, specifically the 'editor' role. The plugin does not properly restrict the 'role' parameter, allowing attackers to create new accounts with the 'editor' role.

Defensive priority

High

Recommended defensive actions

  • Update the Themehunk Login Registration plugin to a version that fixes this vulnerability.
  • Limit access to the WordPress REST API to prevent unauthorized users from exploiting this vulnerability.
  • Monitor user account creations and role assignments for suspicious activity.
  • Consider implementing additional security measures, such as two-factor authentication and role-based access control.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-08T12:17:20.200Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about this vulnerability, and defenders should verify the affected scope and severity with the vendor. The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T12:17:20.200Z and has not been modified since then.