Skip to main content

User Registration & Membership EUVDEUVD-2026-41255

| CVE-2026-11965 MEDIUM
2026-07-02 contact@wpscan.com GHSA-hhpx-jgxv-4x4j
6.5
CVSS 3.1 · Vendor: wpscan
Share

Severity by source

Vendor (wpscan) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Open self-registration removes any privilege barrier (PR:N); network-accessible web plugin with no complexity or user interaction; low C and I for content access and subscription state manipulation only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wpscan).

CVSS VectorVendor: wpscan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 02, 2026 - 13:54 vuln.today
CVSS changed
Jul 02, 2026 - 13:52 NVD
6.5 (MEDIUM)
Patch available
Jul 02, 2026 - 07:01 EUVD
CVE Published
Jul 02, 2026 - 06:16 cve.org
MEDIUM 6.5
CVE Published
Jul 02, 2026 - 06:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

AnalysisAI

Payment enforcement bypass in the User Registration & Membership WordPress plugin before 5.2.0 allows any visitor to self-register a free account and then activate a paid membership subscription without completing payment, gaining unauthorized access to gated premium content. The flaw is a business logic failure: the plugin activates the paid plan upon subscription initiation rather than upon confirmed payment receipt. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Visit WordPress site with open registration
Delivery
Self-register free account via public signup form
Exploit
Initiate paid membership subscription flow
Execution
Bypass payment completion enforcement
Persist
Receive active paid membership status
Impact
Access gated premium content without payment

Vulnerability AssessmentAI

Exploitation The plugin must be installed and active on a WordPress site with at least one paid membership plan configured, and the site must have open user registration enabled (the default WordPress setting). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) accurately reflects the exploitability profile: network-reachable, zero complexity, no prior authentication, and no user interaction required beyond a self-registration step that is intentionally open. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker visits a WordPress site running the vulnerable plugin, creates a free account through the open public registration form, and then navigates to a paid membership plan sign-up flow. By initiating the subscription without completing the payment gateway step - or by manipulating the request sequence - the attacker receives an active paid membership status and can immediately access gated premium content such as courses, downloads, or restricted articles. …
Remediation Update the User Registration & Membership plugin to version 5.2.0 or later immediately; this is the vendor-confirmed patched release per the WPScan advisory (https://wpscan.com/vulnerability/49f4c59e-5931-405d-8518-244531bbc889/) and NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-11965). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-41255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy