CVE-2026-11963
WordPress · User Registration & Membership
The User Registration & Membership WordPress plugin contains an authorization bypass vulnerability that allows authenticated users to manipulate data via user-controlled keys.
Executive summary
An authorization bypass vulnerability in the User Registration & Membership WordPress plugin allows authenticated users to perform unauthorized actions, potentially leading to full account or data compromise.
Vulnerability
This is an authorization bypass vulnerability (CWE-639) where improper validation of user-controlled keys allows a low-privileged authenticated user to access or modify data belonging to other users.
Business impact
With a CVSS score of 8.1, this vulnerability presents a high risk of unauthorized privilege escalation and data manipulation. If exploited, an attacker could gain unauthorized access to other users' accounts or sensitive membership data, leading to a loss of system integrity and potential reputational damage.
Remediation
Immediate Action: Update the User Registration & Membership plugin to version 5.2.2 or later to address the authorization logic flaw.
Proactive Monitoring: Review application access logs for unusual activity patterns, specifically focusing on account modification requests or access to unauthorized user records.
Compensating Controls: Implement strict access control lists and review user permissions within the WordPress dashboard to limit the scope of potential unauthorized actions.
Exploitation status
Public Exploit Available: No
Analyst recommendation
While this vulnerability requires a valid user account, the potential for total impact on user data makes it a high-priority item. Organizations should audit their user management processes and apply the vendor-provided security update as soon as possible to prevent potential exploitation.