CVE-2026-11961
Received Received - Intake

Unauthenticated Role Escalation in User Registration & Membership WordPress Plugin

Vulnerability report for CVE-2026-11961, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: WPScan

Description

The User Registration & Membership WordPress plugin before 5.2.3 does not validate that the membership tier submitted during public registration is one of the tiers allowed by the registration form before assigning that tier's associated user role, allowing unauthenticated users to register into an arbitrary published membership tier and obtain its role β€” up to administrator when such a tier exists.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpengine user_registration_and_membership to 5.2.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the WordPress plugin User Registration & Membership before version 5.2.3. It allows unauthenticated users to register with any published membership tier, which assigns them the associated user role. If a tier grants administrator privileges, an attacker could gain admin access.

Detection Guidance

Check the installed version of the User Registration & Membership plugin. If it is below 5.2.3, the system is vulnerable. Use WordPress admin panel or run: wp plugin list | grep user_registration.

Impact Analysis

An attacker could exploit this to gain unauthorized admin access to your WordPress site, allowing them to take control of your website, modify content, steal data, or install malicious software.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive user data, violating compliance requirements under GDPR, HIPAA, or other regulations that mandate strict access controls and data protection.

Mitigation Strategies

Update the User Registration & Membership plugin to version 5.2.3 or later immediately. If updating is not possible, disable the plugin temporarily until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11961. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart