PatchSiren

User Registration & Membership CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

Review User Registration & Membership CVE published 2026-07-13

CVE-2026-11964

The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without completing a real payment. This vulnerability has a high impact on users with active paid membership subscriptions, [truncated]

Review User Registration & Membership CVE published 2026-07-13

CVE-2026-11963

The User Registration & Membership WordPress plugin before 5.2.2 has a vulnerability that allows any authenticated user, including subscribers, to change another user's WordPress role and membership tier. This is due to a lack of authorization checks on membership-upgrade actions. The vulnerability has a high impact on users with subscriber or lower-level access. The CVE record was published on 2026-07-13 [truncated]