User Registration & Membership Plugin Vulnerability in WordPress
CVE-2026-11966
What is CVE-2026-11966?
The User Registration & Membership plugin for WordPress prior to version 5.2.3 has a security flaw that allows unauthenticated attackers to perform unauthorized actions. This weakness occurs due to the absence of capability checks for certain membership payment actions, which permits these attackers to delete user accounts that are recently registered and pending payment. If left unaddressed, this vulnerability poses significant risks to user data integrity and system stability.
Affected Version(s)
User Registration & Membership 4.2.3 < 5.2.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved