Security Alert Summary
The User Registration & Membership WordPress plugin before 5.2.3 fails to perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier. This allows unauthenticated attackers to delete recently-registered, payment-pending user accounts.
CVE Details
- CVE ID: CVE-2026-11966
- Affected component: User Registration & Membership WordPress plugin
- Affected versions: Versions prior to 5.2.3 (example affected version listed: 4.2.3)
- Published: July 17, 2026, 7:16:37 AM UTC
- Last modified: July 17, 2026, 3:44:29 PM UTC
- CVSS v3.1: Base score 5.3, MEDIUM; vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - Authentication / privileges / user interaction: Unauthenticated callers. Privileges required: NONE. User interaction: NONE.
- Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
- Weakness (CWE): CWE-639
- Additional notes: SSVC metadata indicates a proof-of-concept exists and the issue is automatable (SSVC options: exploitation: poc; automatable: yes; technicalImpact: partial).
Technical Details
The plugin does not perform a capability or authentication check for unauthenticated callers on one of its membership payment actions. The vulnerable action accepts a caller-supplied user identifier and will act on that identifier. Because the request can be made without privileges, an unauthenticated attacker can target recently-registered accounts that are still payment-pending and cause their deletion.
The root cause is a missing capability check on the membership payment action and insufficient validation of the caller-supplied user identifier. The direct impact observed in the description is account deletion of payment-pending users; no additional endpoints, functions, or implementation details are named in the available data.
How This Could Impact Your Website
Consider a site with multiple roles: a site owner who configures membership plans, internal staff who review new registrations, and external contributors who may manage content. An unauthenticated attacker exploiting this issue could delete recently-registered, payment-pending accounts before staff confirmation. Practical consequences include disruption to new subscriber onboarding and potential loss of revenue for paid memberships.
Beyond deleted accounts, related risks include exposure of operational difficulty: staff may need to re-validate registrations, and attackers could combine knowledge of pending accounts with external information to increase the risk of targeted phishing or social engineering against users or staff. If you rely on pending-account workflows for billing or communications, those processes could be interrupted.
professional review: If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and any roles that can submit payment or registration-related requests.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior related to user creation, payment actions, and account deletions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.