Rob Stevens

**Name of the Vulnerable Software and Affected Versions** UserPro plugin for WordPress versions up to, and including, 5.1.6 **Description** The issue is related to a Security Feature Bypass in the UserPro plugin for WordPress. This bypass occurs due to the plugin's reliance on client-side restrictions to enforce the 'Disabled registration' Membership feature within its General settings. As a result, unauthenticated attackers can register an account even when an administrator has disabled account registration. **Recommendations** For versions up to, and including, 5.1.6, update to a version later than 5.1.6 to resolve the issue. As a temporary workaround, consider disabling the 'Disabled registration' Membership feature or restricting access to the registration endpoint until a patch is available.