CVE-2026-2356
Insecure Direct Object Reference in WordPress URM Plugin Allows Account Deletion
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp | everest | user_registration to 5.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can delete newly registered user accounts without authentication. This can lead to disruption of user access, loss of user data, and potential denial of service for legitimate users who have just registered.
Since the vulnerability allows deletion of user accounts, it can undermine the integrity and availability of the user base on the affected WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
The vulnerability exists in the User Registration & Membership WordPress plugin, specifically in the 'register_member' function. It is an Insecure Direct Object Reference (IDOR) vulnerability caused by missing validation on the 'member_id' parameter, which is controlled by the user.
This flaw allows unauthenticated attackers to delete arbitrary user accounts that were newly registered on the site and have the 'urm_user_just_created' user meta set.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the 'register_member' AJAX action in the User Registration & Membership WordPress plugin, which can be exploited via unauthenticated requests that manipulate the 'member_id' parameter to delete arbitrary user accounts."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP POST requests to the WordPress admin-ajax.php endpoint with the action parameter set to 'register_member'. Look for suspicious requests that include a 'member_id' parameter or attempts to delete users."}, {'type': 'list_item', 'content': "Use web server access logs to search for POST requests to 'wp-admin/admin-ajax.php' with 'action=register_member'. For example, using grep on Apache or Nginx logs:"}, {'type': 'list_item', 'content': "grep 'action=register_member' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Use tools like curl or wget to simulate or test the presence of the vulnerable endpoint by sending POST requests with the 'register_member' action and observing responses."}, {'type': 'list_item', 'content': "Check WordPress user accounts for unexpected deletions or missing users who had the 'urm_user_just_created' user meta set."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the User Registration & Membership plugin to a version later than 5.1.2 where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': "If an update is not immediately possible, restrict access to the 'register_member' AJAX action by limiting unauthenticated access or applying firewall rules to block suspicious POST requests to 'wp-admin/admin-ajax.php' with 'action=register_member'."}, {'type': 'paragraph', 'content': 'Additionally, monitor user accounts for unauthorized deletions and restore any affected accounts from backups if necessary.'}, {'type': 'paragraph', 'content': 'Implement security best practices such as enabling Web Application Firewalls (WAF) and ensuring proper nonce verification and capability checks are enforced.'}] [1]