Skip to main content

User Registration & Membership CVE-2026-11964

| EUVDEUVD-2026-43285 CRITICAL
2026-07-13 WPScan GHSA-6f2x-47pc-8mpq
9.1
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.2 HIGH

Unauthenticated remote webhook forgery (AV:N/AC:L/PR:N/UI:N); primary impact is integrity from activating memberships (I:H), with only limited confidentiality from gained content access (C:L) and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 13, 2026 - 19:10 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.1 (CRITICAL)
Patch available
Jul 13, 2026 - 08:01 EUVD
CVE Published
Jul 13, 2026 - 06:00 cve.org
CRITICAL 9.1
CVE Published
Jul 13, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without completing a real payment.

AnalysisAI

Payment-verification bypass in the User Registration & Membership WordPress plugin before 5.2.2 lets unauthenticated attackers forge a payment-provider webhook to mark a subscription as paid, activating premium memberships without any real transaction. WPScan reports publicly available exploit code, though there is no public exploit identified as being used in active attacks (not in CISA KEV). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach public WordPress site
Delivery
Identify membership webhook endpoint
Exploit
Forge payment-approved webhook POST
Execution
Plugin skips authenticity check
Persist
Membership activated without payment
Impact
Access paid/gated content

Vulnerability AssessmentAI

Exploitation The specific prerequisite is that the site runs the User Registration & Membership plugin (before 5.2.2) with paid membership/subscription functionality enabled and its payment-provider webhook/callback endpoint exposed - which is the normal configuration for any site selling memberships. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, score 9.1) reflects a network-reachable, low-complexity, unauthenticated attack with no user interaction - highly favorable for an attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker signs up (or targets an existing pending order) on a site running the vulnerable plugin, then sends a crafted HTTP POST to the plugin's payment webhook endpoint mimicking a 'payment approved' event for their account. Because the plugin does not verify the notification's authenticity, it activates the paid membership and grants access to gated content - with no payment made. …
Remediation Vendor-released patch: upgrade the User Registration & Membership plugin to version 5.2.2 or later, which is available from the vendor per the WPScan advisory (https://wpscan.com/vulnerability/faf55649-8f76-4abf-a6b9-0d0774e22d29/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, immediately disable the User Registration & Membership plugin and review webhook and subscription logs for suspicious activity indicating exploitation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy