CVE-2026-7651
Insecure Direct Object Reference in User Registration & Membership WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_user_registration | wp_user_registration | to 5.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the User Registration & Membership plugin for WordPress, versions up to and including 5.1.5. It is an Insecure Direct Object Reference (IDOR) issue caused by missing ownership validation on a user-controlled attachment ID.
This flaw allows authenticated users with subscriber-level access or higher to delete arbitrary media attachments uploaded by any other user, including administrators, because the plugin does not verify that the attachment belongs to the requesting user before allowing deletion.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion of media files on a WordPress site using the affected plugin. Attackers with subscriber-level access or above can permanently delete media attachments belonging to other users, including administrators.
Such unauthorized deletions can disrupt website content, cause data loss, and potentially impact site functionality or user experience.