CVE-2026-11963
Received Received - Intake

Unauthorized Role Escalation in User Registration & Membership WordPress Plugin

Vulnerability report for CVE-2026-11963, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: WPScan

Description

The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change another user's WordPress role and membership tier.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpengine user_registration_and_membership to 5.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized modification of user roles and membership tiers, including escalation to administrator privileges, due to lack of proper authorization checks.

Such unauthorized access and privilege escalation can lead to violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of user data.

By enabling attackers to change user roles without authorization, the vulnerability undermines the principle of least privilege and can result in unauthorized data access or modification, potentially causing non-compliance with these regulations.

Executive Summary

CVE-2026-11963 is a vulnerability in the WordPress plugin "User Registration & Membership" versions before 5.2.2. It is an Insecure Direct Object Reference (IDOR) issue that allows any authenticated user, such as a subscriber, to change another user's WordPress role and membership tier without proper authorization.

The problem arises because the plugin does not check if the current user has permission to modify the target user's membership details. Instead, it uses a caller-supplied identifier (like a subscription ID) to determine which user's membership to change.

An attacker can exploit this by logging in as a subscriber, obtaining a nonce from a public membership listing page, and sending a crafted request with the victim's subscription ID and desired membership tier. This results in the victim's membership and role being upgraded without validating the attacker's permissions.

There is also a self-escalation variant where an attacker can escalate their own account to a higher-privileged role, including Administrator, if certain non-default configurations exist.

Impact Analysis

This vulnerability can allow an attacker with a low-level authenticated account, such as a subscriber, to escalate their privileges by changing their own or another user's WordPress role and membership tier.

Such unauthorized privilege escalation can lead to attackers gaining administrative access, which may allow them to control the website, modify content, access sensitive data, or perform other malicious actions.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the plugin's AJAX endpoint that include membership-upgrade actions with caller-supplied user identifiers.

Specifically, detection involves looking for authenticated users with subscriber roles sending requests that attempt to modify other users' membership tiers or roles.

A practical approach is to inspect web server logs or use network monitoring tools to identify POST requests containing parameters such as subscription IDs and membership tier IDs that do not belong to the authenticated user.

Commands to help detect this might include using grep or similar tools on server logs to find suspicious AJAX requests, for example:

  • grep 'wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep 'membership-upgrade'
  • grep 'subscription_id' /var/log/apache2/access.log | grep 'POST'

Additionally, monitoring for unexpected role changes in WordPress user accounts can help identify exploitation attempts.

Mitigation Strategies

The immediate and most effective mitigation is to update the User Registration & Membership WordPress plugin to version 5.2.2 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict access to the plugin's AJAX endpoints to trusted users only, if possible.

Additionally, monitor user role changes closely and consider temporarily limiting the permissions of subscriber roles to reduce the risk of exploitation.

Implementing web application firewall (WAF) rules to detect and block suspicious membership-upgrade requests can also help mitigate the risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart