๐Ÿ” CVE Alert

CVE-2026-11964

CRITICAL 9.1

User Registration & Membership < 5.2.2 - Unauthenticated PayPal Webhook Signature Verification Bypass Leading to Membership Activation

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without completing a real payment.

Vendor unknown
Product user registration & membership
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for unknown user registration & membership

Be the first to know when new critical vulnerabilities affecting unknown user registration & membership are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / User Registration & Membership
0 < 5.2.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/faf55649-8f76-4abf-a6b9-0d0774e22d29/

Credits

Alessandro Greco aka Aleff Giovanbattista Ianni (University of Calabria - UNICAL) WPScan