We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

User Registration & Membership Plugin Vulnerability (CVE-2026-7651)

Nick Paliughi
On this page

Security Alert Summary

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress has an Insecure Direct Object Reference vulnerability (CVE-2026-7651). Missing ownership validation on a user-controlled attachment ID allows the plugin to store and delete media attachments without verifying ownership, enabling authenticated attackers with subscriber-level access and above to permanently delete media uploaded by other users, including administrators.

CVE Details

  • CVE ID: CVE-2026-7651
  • Affected component: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress (as described in the CVE)
  • Affected versions: All versions up to and including 5.1.5 (as stated in the CVE description)
  • Published: May 28, 2026 at 08:16:37 AM UTC
  • Last modified: May 28, 2026 at 01:45:25 PM UTC
  • CVSS v3.1: Base Score 5.3 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction (from CVSS data): Privileges Required: NONE; User Interaction: NONE; Attack Vector: NETWORK
  • Primary impact: Integrity impact: LOW (allows deletion of arbitrary media attachments). Confidentiality and Availability: NONE per CVSS data.
  • Weakness (CWE): CWE-639

Technical Details

This vulnerability is an Insecure Direct Object Reference caused by missing ownership validation on a user-controlled attachment ID. The plugin accepts an attachment identifier from a requesting user, stores it, and later deletes the referenced attachment without verifying that the attachment belongs to the requesting user. Because the plugin does not enforce ownership checks, an authenticated user can reference and delete media uploaded by other users.

The issue is present in the plugin’s frontend handling and related core functions referenced in the disclosure. The CVE references plugin files including includes/frontend/class-ur-frontend.php and includes/functions-ur-core.php, which indicate the flaw resides in the code paths that accept and act on user-supplied attachment IDs.

Impact: An authenticated attacker with subscriber-level access or higher can permanently delete arbitrary media attachments belonging to other users, including attachments uploaded by administrators. The vulnerability affects the integrity of media assets; it does not, according to the CVSS data, impact confidentiality or availability.

How This Could Impact Your Website

Consider a multi-user WordPress site with a site owner, several internal editors or contributors, and an external contractor who manages content. If the site runs an affected version of this plugin, a subscriber or other low-privilege user could delete media items uploaded by editors or administrators. In practice this can lead to missing images in published posts, lost media libraries, and extra time spent restoring content or re-uploading assets.

Consequences may include broken pages or posts that rely on deleted media and additional administrative effort to identify and restore lost files. While the CVSS data indicates confidentiality impact is none, the loss of media assets can still disrupt site operations and editorial workflows, and increase the potential for social engineering attempts if attackers exploit missing content to impersonate staff or request credentials.

professional review: If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor or subscriber accounts that are not required.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site and media library activity for unusual deletions or unexpected changes.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Eupago Gateway For Woocommerce Plugin Vulnerability (CVE-2026-7862)
Next Post
WP Contact Form 7 DB Handler Plugin Vulnerability (CVE-2026-6455)