PatchSiren cyber security CVE debrief
CVE-2026-11966 User Registration & Membership CVE debrief
The CVE record for CVE-2026-11966 was published on 2026-07-17T07:16:37.947Z and has not been modified since then. The vulnerability is related to the User Registration & Membership WordPress plugin before version 5.2.3. The plugin has a vulnerability that allows unauthenticated attackers to delete recently-registered, payment-pending user accounts. This vulnerability is a result of the plugin not performing a capability check for unauthenticated callers on one of its membership payment actions and acting on a caller-supplied user identifier.
- Vendor
- User Registration & Membership
- Product
- User Registration & Membership WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of the User Registration & Membership WordPress plugin, especially those with payment-pending user accounts, should be aware of this vulnerability. The vulnerability can lead to unauthorized deletion of user accounts, which can have significant operational impacts. Users should review their plugin versions and update to version 5.2.3 or later as soon as possible.
Technical summary
The User Registration & Membership WordPress plugin before version 5.2.3 has a vulnerability that allows unauthenticated attackers to delete recently-registered, payment-pending user accounts. This is because the plugin does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier. The vulnerability can be exploited by unauthenticated attackers, which makes it a significant concern for users of the affected plugin.
Defensive priority
High priority for users of the affected plugin, as it allows for unauthorized deletion of user accounts.
Recommended defensive actions
- Update the User Registration & Membership WordPress plugin to version 5.2.3 or later
- Implement additional monitoring and logging to detect potential exploitation attempts
- Restrict access to sensitive areas of the WordPress site
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
Evidence is limited, as the CVE record and NVD entry provide minimal information. Further investigation and verification are necessary to fully understand the vulnerability. The CVE record was published on 2026-07-17T07:16:37.947Z and has not been modified since then. The vulnerability affects the User Registration & Membership WordPress plugin before version 5.2.3. The plugin does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier.
Official resources
-
CVE-2026-11966 CVE record
CVE.org
-
CVE-2026-11966 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T07:16:37.947Z and has not been modified since then.