CVE-2026-7651
Deferred Deferred - Pending Action
Insecure Direct Object Reference in User Registration & Membership WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-7651
EUVD
EUVD-2026-32730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_user_registration wp_user_registration to 5.1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the User Registration & Membership plugin for WordPress, versions up to and including 5.1.5. It is an Insecure Direct Object Reference (IDOR) issue caused by missing ownership validation on a user-controlled attachment ID.

This flaw allows authenticated users with subscriber-level access or higher to delete arbitrary media attachments uploaded by any other user, including administrators, because the plugin does not verify that the attachment belongs to the requesting user before allowing deletion.

Impact Analysis

This vulnerability can lead to unauthorized deletion of media files on a WordPress site using the affected plugin. Attackers with subscriber-level access or above can permanently delete media attachments belonging to other users, including administrators.

Such unauthorized deletions can disrupt website content, cause data loss, and potentially impact site functionality or user experience.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart