CVE-2026-11966 PUBLISHED

User Registration & Membership < 5.2.3 - Unauthenticated Limited User Deletion via Stripe Subscription Handler

Assigner: WPScan
Reserved: 11.06.2026 Published: 17.07.2026 Updated: 17.07.2026

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pending user accounts.

Product Status

Vendor Unknown
Product User Registration & Membership
Versions Default: unaffected
  • affected from 4.2.3 to 5.2.3 (excl.)

Credits

  • Daniel Púa - devploit finder
  • WPScan coordinator

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE