PatchSiren cyber security CVE debrief
CVE-2026-7651 wpeverest CVE debrief
A WordPress plugin vulnerability allows authenticated users with subscriber-level access or higher to permanently delete arbitrary media attachments belonging to other users, including administrators. The issue stems from missing ownership validation on user-controlled attachment IDs in the User Registration & Membership plugin. The vulnerability was disclosed on 2026-05-28 with a CVSS 3.1 score of 5.3 (Medium). A patched version (5.2.0) is available.
- Vendor
- wpeverest
- Product
- User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
WordPress site administrators using the User Registration & Membership plugin; security teams managing WordPress installations; compliance officers responsible for data integrity and access control audits.
Technical summary
The User Registration & Membership WordPress plugin (versions ≤5.1.5) contains an Insecure Direct Object Reference (IDOR) vulnerability classified as CWE-639. The plugin fails to validate ownership of attachment IDs before executing deletion operations. Authenticated users with subscriber-level privileges or higher can supply arbitrary attachment IDs, causing permanent deletion of media files uploaded by any other user including administrators. The vulnerability is remotely exploitable with low attack complexity. The fix in version 5.2.0 adds proper ownership validation before attachment operations.
Defensive priority
medium
Recommended defensive actions
- Update the User Registration & Membership WordPress plugin to version 5.2.0 or later to remediate this vulnerability.
- Review WordPress media library access logs for unauthorized deletion activity by subscriber-level or higher accounts, particularly around 2026-05-28 and prior.
- Implement principle of least privilege by auditing user roles and removing unnecessary subscriber or higher-level access.
- Consider implementing additional access controls on media attachment operations through WordPress hooks or security plugins as a defense-in-depth measure.
- Verify backup integrity for media attachments to ensure recovery capability if unauthorized deletions occurred.
Evidence notes
The vulnerability description indicates the issue affects all versions up to and including 5.1.5. Source references include WordPress plugin repository browser links to affected code locations (class-ur-frontend.php lines 86 and 114, functions-ur-core.php line 4262) and a changeset showing the fix in version 5.2.0. The Wordfence advisory provides additional context. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N indicates network attack vector, low attack complexity, no privileges required (though the description states subscriber+ access is needed), no user interaction, unchanged scope, with impact limited to integrity (low). CWE-639 (Authorization Bypass Through User-Controlled Key) is identified as the weakness type.
Official resources
2026-05-28