Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable action needing only a low-privileged authenticated account (PR:L) and no interaction; role rewrite to admin yields high confidentiality and integrity impact, no availability effect.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change another user's WordPress role and membership tier.
Articles & Coverage 1
AnalysisAI
Privilege escalation in the User Registration & Membership WordPress plugin before 5.2.2 lets any authenticated low-privileged user (e.g. a subscriber) alter another account's WordPress role and membership tier. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated low-privileged account (PR:L) - trivially obtained on the many sites that enable open subscriber self-registration, which is this plugin's primary purpose. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine priority rather than an inflated high-CVSS finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a normal subscriber account on a WordPress site running the vulnerable plugin (or uses any existing low-privileged login). Using the publicly available exploit, they send the membership-upgrade request while supplying their own user ID as the caller-controlled target identifier and a higher role/tier value, causing the plugin to promote their account - potentially to administrator - without any authorization check. … |
| Remediation | Vendor-released patch: upgrade the User Registration & Membership plugin to version 5.2.2 or later, which restores the authorization check and binds the membership-upgrade action to the authenticated user; this is the definitive fix (see the WPScan advisory at https://wpscan.com/vulnerability/a34a916a-983e-48a5-8f10-99214ee3b613/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all WordPress installations running User Registration & Membership plugin, identify current versions, and flag any running versions prior to 5.2.2 as critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in User Registration Membership
View allThe User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou
The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when
Payment-verification bypass in the User Registration & Membership WordPress plugin before 5.2.2 lets unauthenticated att
Deserialization of Untrusted Data vulnerability in WPEverest User Registration.3.2.1. Rated high severity (CVSS 7.4), th
The User Registration & Membership - Custom Registration Form, Login Form, and User Profile plugin for WordPress is vuln
The User Registration - Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is
The User Registration & Membership - Custom Registration Form, Login Form, and User Profile plugin for WordPress is vuln
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43284
GHSA-qxg2-gwhj-546g