Skip to main content

User Registration Membership EUVDEUVD-2026-43284

| CVE-2026-11963 HIGH
2026-07-13 WPScan GHSA-qxg2-gwhj-546g
8.1
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable action needing only a low-privileged authenticated account (PR:L) and no interaction; role rewrite to admin yields high confidentiality and integrity impact, no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 13, 2026 - 19:10 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
8.1 (HIGH)
Patch available
Jul 13, 2026 - 08:01 EUVD
CVE Published
Jul 13, 2026 - 06:00 cve.org
HIGH 8.1
CVE Published
Jul 13, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change another user's WordPress role and membership tier.

AnalysisAI

Privilege escalation in the User Registration & Membership WordPress plugin before 5.2.2 lets any authenticated low-privileged user (e.g. a subscriber) alter another account's WordPress role and membership tier. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber account
Delivery
Log in and locate membership-upgrade action
Exploit
Send request with attacker-controlled user ID and elevated role
Execution
Plugin skips authorization and rewrites target role
Persist
Account escalated to administrator
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Requires an authenticated low-privileged account (PR:L) - trivially obtained on the many sites that enable open subscriber self-registration, which is this plugin's primary purpose. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine priority rather than an inflated high-CVSS finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal subscriber account on a WordPress site running the vulnerable plugin (or uses any existing low-privileged login). Using the publicly available exploit, they send the membership-upgrade request while supplying their own user ID as the caller-controlled target identifier and a higher role/tier value, causing the plugin to promote their account - potentially to administrator - without any authorization check. …
Remediation Vendor-released patch: upgrade the User Registration & Membership plugin to version 5.2.2 or later, which restores the authorization check and binds the membership-upgrade action to the authenticated user; this is the definitive fix (see the WPScan advisory at https://wpscan.com/vulnerability/a34a916a-983e-48a5-8f10-99214ee3b613/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all WordPress installations running User Registration & Membership plugin, identify current versions, and flag any running versions prior to 5.2.2 as critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy