๐Ÿ” CVE Alert

CVE-2026-11963

HIGH 8.1

User Registration & Membership < 5.2.2 - Subscriber+ Cross-User Role and Membership Tier Modification via IDOR

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change another user's WordPress role and membership tier.

Vendor unknown
Product user registration & membership
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for unknown user registration & membership

Be the first to know when new high vulnerabilities affecting unknown user registration & membership are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / User Registration & Membership
0 < 5.2.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/a34a916a-983e-48a5-8f10-99214ee3b613/

Credits

Revanth Hari Narayana Matte WPScan