A critical security vulnerability identified as CVE-2026-54807 has been discovered in the Registration Form for WooCommerce plugin. The vulnerability may allow an unauthenticated attacker to obtain administrator privileges and subsequently take control of the entire Wordpress website.
The vulnerability received a CVSS score of 9.8 out of 10, placing it in the highest category of critical security risks. We recommend that administrators of affected websites update the plugin immediately.
All plugin versions up to and including 1.0.9 are vulnerable. According to the published advisory, the security fix is included in version 1.1.0 and later.
The plugin is used to create and customize registration forms for WooCommerce. In vulnerable versions, the assignment of user roles during registration is not properly secured.
An attacker can submit a modified registration request without prior authentication and obtain higher privileges than those normally assigned to a newly registered customer.
According to the Wordfence database, a successful attack may result in the creation of a user account with the administrator role. The attacker does not need a valid account or any cooperation from the website administrator.
How serious can the attack be?
Obtaining an administrator account usually means a complete compromise of the WordPress website. For example, an attacker may:
- install malicious plugins or themes,
- modify website and product content,
- gain access to orders and customer data,
- create additional hidden administrator accounts,
- redirect visitors to fraudulent websites,
- inject malicious JavaScript or PHP code into the website,
- send spam and phishing messages,
- use the website to carry out further attacks.
Although the vulnerability is classified as a privilege escalation issue rather than direct remote code execution, administrator access to WordPress may subsequently allow the attacker to execute their own code.
The vulnerability has the following characteristics:
- the attack can be carried out remotely over the internet,
- no prior authentication is required,
- the attack does not require user interaction,
- the technical complexity of the attack is low,
- it may result in a complete compromise of the website’s confidentiality, integrity, and availability.
The resulting score is 9.8 out of 10 – Critical.
How to fix the vulnerability
Website owners using the Registration Form for WooCommerce plugin should immediately update it to at least the following version:
Registration Form for WooCommerce 1.1.0
Patchstack lists version 1.1.0 as the patched release and recommends upgrading to this version or any newer available version.
If the update cannot be performed, we recommend immediately deactivating and removing the plugin. Simply disabling the registration form in the WooCommerce settings may not provide sufficient protection, because the vulnerable plugin code may still remain accessible through its own requests or endpoints.