The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without completing a real payment. This vulnerability has a high impact on users with active paid membership subscriptions, [truncated]
ReviewUser Registration & MembershipCVE published 2026-07-13
The User Registration & Membership WordPress plugin before 5.2.2 has a vulnerability that allows any authenticated user, including subscribers, to change another user's WordPress role and membership tier. This is due to a lack of authorization checks on membership-upgrade actions. The vulnerability has a high impact on users with subscriber or lower-level access. The CVE record was published on 2026-07-13 [truncated]