Insecure Direct Object Reference in User Registration & Membership Plugin from WordPress
CVE-2026-7651

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-7651?

The User Registration & Membership plugin for WordPress is susceptible to an Insecure Direct Object Reference vulnerability due to a lack of ownership validation for user-controlled attachment IDs. This flaw allows authenticated users with subscriber-level access or higher to bypass restrictions and delete any media attachments uploaded by other users, including administrators. The vulnerability arises from improper handling of attachment IDs, leading to potential unauthorized removals of critical media content in WordPress installations.

Affected Version(s)

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 0 <= 5.1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/user-registrat...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 1, 2026

Credit

Supakiad S.

CVE-2026-7651 Data

JSON