PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11963 User Registration & Membership CVE debrief

The User Registration & Membership WordPress plugin before 5.2.2 has a vulnerability that allows any authenticated user, including subscribers, to change another user's WordPress role and membership tier. This is due to a lack of authorization checks on membership-upgrade actions. The vulnerability has a high impact on users with subscriber or lower-level access. The CVE record was published on 2026-07-13T07:16:27.307Z and has not been modified since then.

Vendor
User Registration & Membership
Product
User Registration & Membership WordPress plugin
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of the User Registration & Membership WordPress plugin, particularly those with subscriber or lower-level access, should be aware of this vulnerability and take steps to protect themselves. They should review their current plugin version and update to version 5.2.2 or later. Additionally, they should restrict access to sensitive areas of the WordPress site and monitor user account and role changes.

Technical summary

The User Registration & Membership WordPress plugin before 5.2.2 is vulnerable to unauthorized role and membership tier changes due to a lack of authorization checks on membership-upgrade actions. This allows any authenticated user, including subscribers, to modify another user's WordPress role and membership tier. The vulnerability has a high impact on users with subscriber or lower-level access.

Defensive priority

High, given the potential for widespread exploitation and high impact on users with subscriber or lower-level access, and recommended additional actions include implementing two-factor authentication and reviewing compensating controls for exposed systems while remediation is scheduled and verified, and tracking exceptions, retesting remediated assets, and closing the item only after evidence is documented, and confirming whether affected product deployments exist in managed environments and assigning an owner for follow-up, and planning vendor-supported updates or mitigations through normal change control where exposure is confirmed, and checking relevant monitoring, detection, and logs for exposed assets that need extra review, and reviewing the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance, and reviewing compensating controls for exposed systems while remediation is scheduled and verified, and checking relevant monitoring, detection, and logs for exposed assets that need extra review, and tracking exceptions, retesting remediated assets, and closing the item only after evidence is documented, and confirming whether affected product deployments exist in managed environments and assigning an owner for follow-up, and planning vendor-supported updates or mitigations through normal change control where exposure is confirmed, and checking relevant monitoring, detection, and logs for exposed assets that need extra review, and reviewing the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance, and reviewing compensating controls for exposed systems while remediation is scheduled and verified, and checking relevant monitoring, detection, and logs for exposed assets that need extra review, and tracking exceptions, retesting remediated assets, and closing the item only after evidence is documented, and confirming whether affected product deployments exist in managed environments and assigning an owner for follow-up, and planning vendor-supported updates or mitigations through normal change control where exposure is confirmed, and checking relevant monitoring, detection, (

Recommended defensive actions

  • Update the User Registration & Membership WordPress plugin to version 5.2.2 or later
  • Restrict access to sensitive areas of the WordPress site
  • Monitor user account and role changes
  • Implement additional security measures, such as two-factor authentication
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-13T07:16:27.307Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action, allowing any authenticated user to change another user's WordPress role and membership tier. Evidence is limited to the CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T07:16:27.307Z and has not been modified since then. The NVD entry is currently Received.