CVE-2026-6203

Name of the Vulnerable Software and Affected Versions User Registration & Membership versions prior to 5.1.5

Description The User Registration & Membership plugin for WordPress contains an open redirect issue. This occurs because user-supplied URLs provided through the 'redirect to on logout' GET parameter are not sufficiently validated before being processed by the wp redirect() function. Although esc url raw() is used to sanitize malformed URLs, it fails to restrict the destination to the local domain. This allows an attacker to create a link that redirects users to external malicious websites after they log out, which can be used to facilitate phishing attacks.

Recommendations Update the plugin to a version later than 5.1.4. As a temporary workaround, restrict access to the 'redirect to on logout' parameter until the update is applied.