– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-0844:
The Simple User Registration plugin for WordPress versions up to and including 6.7 contains an insecure direct object reference vulnerability in its profile update functionality. This vulnerability allows authenticated attackers with subscriber-level permissions to escalate their privileges to administrator by manipulating user capability metadata during profile updates. The CVSS score of 8.8 reflects the high impact of this privilege escalation combined with low attack complexity.

The root cause lies in the `profile_save_field` function within the `WPR_Profile` class. This function processes user profile updates without proper authorization checks or input validation for critical user metadata fields. The vulnerable code path begins in `/wp-registration/inc/classes/class.profile.php` at line 411, where the function accepts POST data containing user profile information. The function calls `set_user_data()` which eventually processes the submitted data through the `save()` method in the `WPR_User` class. The `save()` method in `/wp-registration/inc/classes/class.user.php` at line 307 iterates through all submitted profile data without filtering dangerous meta keys like `wp_capabilities`.

Exploitation requires an authenticated attacker with subscriber-level access to submit a crafted POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the action parameter set to `profile_save_field`. The attacker must include the `wp_capabilities` parameter within the `wpr` POST array, containing serialized PHP data representing administrator capabilities. The payload structure would be: `action=profile_save_field&user_id=[ATTACKER_ID]&wpr[wp_capabilities]=a:1:{s:13:”administrator”;b:1;}`. The attacker can target their own user ID or potentially other users if they can guess or discover valid user IDs.

The patch implements multiple defense layers across several files. In `class.profile.php` line 411-416, the patch adds an authorization check requiring users to either edit their own profile or have the `edit_users` capability. In `class.user.php` line 312-336, the patch introduces an allowed meta keys whitelist and explicitly blocks any keys containing ‘capabilities’ or ‘user_level’ substrings. The `set_meta` methods in both `class.register.php` (line 273-277) and `class.user.php` (line 102-106) now reject capability-related keys. The plugin version number increments from 6.7 to 6.8 in `wp-registration.php` lines 5 and 17.

Successful exploitation grants the attacker full administrative privileges within the WordPress installation. This includes complete control over the website’s content, users, plugins, themes, and settings. An attacker could create backdoor administrator accounts, inject malicious code, deface the website, exfiltrate sensitive data, or maintain persistent access for further attacks. The vulnerability affects all WordPress sites using the vulnerable plugin version with user registration enabled.