User Registration Membership Free Paid Memberships Subscriptions Content Restriction User Profile Custom User Registration Login Builder
Monthly
Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.
Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.