CVE-2026-11963

WordPress · User Registration & Membership

The User Registration & Membership WordPress plugin contains an authorization bypass vulnerability that allows authenticated users to manipulate data via user-controlled keys.

Executive summary

An authorization bypass vulnerability in the User Registration & Membership WordPress plugin allows authenticated users to perform unauthorized actions, potentially leading to full account or data compromise.

Vulnerability

This is an authorization bypass vulnerability (CWE-639) where improper validation of user-controlled keys allows a low-privileged authenticated user to access or modify data belonging to other users.

Business impact

With a CVSS score of 8.1, this vulnerability presents a high risk of unauthorized privilege escalation and data manipulation. If exploited, an attacker could gain unauthorized access to other users' accounts or sensitive membership data, leading to a loss of system integrity and potential reputational damage.

Remediation

Immediate Action: Update the User Registration & Membership plugin to version 5.2.2 or later to address the authorization logic flaw.

Proactive Monitoring: Review application access logs for unusual activity patterns, specifically focusing on account modification requests or access to unauthorized user records.

Compensating Controls: Implement strict access control lists and review user permissions within the WordPress dashboard to limit the scope of potential unauthorized actions.

Exploitation status

Public Exploit Available: No

Analyst recommendation

While this vulnerability requires a valid user account, the potential for total impact on user data makes it a high-priority item. Organizations should audit their user management processes and apply the vendor-provided security update as soon as possible to prevent potential exploitation.