The User Registration plugin for WordPress is a tool that allows users to create accounts on a WordPress website. Unfortunately, versions up to and including 3.0.1 of this plugin are vulnerable to a type of attack known as PHP Object Injection. This type of attack can occur when the plugin’s “profile-pic-url” parameter is given untrusted input. If an attacker is able to gain access to the website with a user account that has subscriber-level permissions or higher, they can exploit this vulnerability to inject a PHP Object. No chain of additional plugins or themes is required for this attack to be successful, but if any are present they could give the attacker additional capabilities such as deleting files, retrieving sensitive data, or executing code.