CVE-2026-11964

WordPress · User Registration & Membership

The User Registration & Membership WordPress plugin fails to validate payment-provider webhooks, allowing unauthenticated attackers to bypass subscription payments.

Executive summary

A critical authentication bypass vulnerability in the User Registration & Membership plugin allows unauthenticated attackers to gain unauthorized access to paid features.

Vulnerability

The plugin suffers from an Improper Authentication vulnerability (CWE-287) where incoming payment webhooks are not verified, allowing unauthenticated attackers to forge successful payment notifications.

Business impact

Exploitation of this flaw allows attackers to activate premium membership tiers without completing actual transactions, resulting in direct revenue loss and unauthorized access to restricted site content. With a CVSS score of 9.1, this vulnerability poses a high risk to the business model and data integrity of the affected platform.

Remediation

Immediate Action: Update the User Registration & Membership plugin to version 5.2.2 or later immediately.

Proactive Monitoring: Audit user account registrations and subscription logs for anomalous patterns or spikes in "successful" payments that lack corresponding payment provider records.

Compensating Controls: If an update is not immediately feasible, temporarily disable the affected registration functionality or implement IP-based rate limiting on the webhook endpoint.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the ease of exploitation and the potential for direct financial impact, administrators should prioritize updating the plugin to the patched version. Verify that all current membership statuses are legitimate to ensure no unauthorized accounts were created during the exposure window.