Skip to main content

User Registration Membership Free Paid Memberships Subscriptions Content Restriction User Profile Custom User Registration Login Builder

1 CVEs product

Monthly

CVE-2026-1869 MEDIUM This Month

Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.

Authentication Bypass WordPress User Registration Membership Free Paid Memberships Subscriptions Content Restriction User Profile Custom User Registration Login Builder
NVD
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.

Authentication Bypass WordPress User Registration Membership Free Paid Memberships Subscriptions Content Restriction User Profile Custom User Registration Login Builder
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy