PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11966 User Registration & Membership CVE debrief

The CVE record for CVE-2026-11966 was published on 2026-07-17T07:16:37.947Z and has not been modified since then. The vulnerability is related to the User Registration & Membership WordPress plugin before version 5.2.3. The plugin has a vulnerability that allows unauthenticated attackers to delete recently-registered, payment-pending user accounts. This vulnerability is a result of the plugin not performing a capability check for unauthenticated callers on one of its membership payment actions and acting on a caller-supplied user identifier.

Vendor
User Registration & Membership
Product
User Registration & Membership WordPress plugin
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of the User Registration & Membership WordPress plugin, especially those with payment-pending user accounts, should be aware of this vulnerability. The vulnerability can lead to unauthorized deletion of user accounts, which can have significant operational impacts. Users should review their plugin versions and update to version 5.2.3 or later as soon as possible.

Technical summary

The User Registration & Membership WordPress plugin before version 5.2.3 has a vulnerability that allows unauthenticated attackers to delete recently-registered, payment-pending user accounts. This is because the plugin does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier. The vulnerability can be exploited by unauthenticated attackers, which makes it a significant concern for users of the affected plugin.

Defensive priority

High priority for users of the affected plugin, as it allows for unauthorized deletion of user accounts.

Recommended defensive actions

  • Update the User Registration & Membership WordPress plugin to version 5.2.3 or later
  • Implement additional monitoring and logging to detect potential exploitation attempts
  • Restrict access to sensitive areas of the WordPress site
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

Evidence is limited, as the CVE record and NVD entry provide minimal information. Further investigation and verification are necessary to fully understand the vulnerability. The CVE record was published on 2026-07-17T07:16:37.947Z and has not been modified since then. The vulnerability affects the User Registration & Membership WordPress plugin before version 5.2.3. The plugin does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T07:16:37.947Z and has not been modified since then.