CVE-2026-11964
Received Received - Intake

Unauthenticated Membership Activation in User Registration & Membership WordPress Plugin

Vulnerability report for CVE-2026-11964, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: WPScan

Description

The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without completing a real payment.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpengine user_registration_and_membership to 5.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The User Registration & Membership WordPress plugin before version 5.2.2 contains a critical vulnerability that allows unauthenticated attackers to bypass PayPal webhook signature verification.

This flaw enables attackers to forge a payment-approved event, activating paid membership subscriptions without completing an actual payment.

The vulnerability occurs because the plugin does not verify the authenticity of incoming PayPal webhook notifications before processing them.

An attacker can exploit this by first signing up for a paid membership plan, which creates a pending order and subscription, then sending a crafted PayPal webhook event with a custom ID matching their pending order.

Since the plugin does not enforce signature verification, the forged webhook is accepted, completing the order and activating the subscription without real payment.

Compliance Impact

The vulnerability allows unauthenticated attackers to activate paid membership subscriptions without completing a real payment by forging payment-approved webhook events. This unauthorized access to paid or gated content could lead to financial fraud and unauthorized data access.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the unauthorized activation of memberships and potential access to protected content may raise concerns regarding data protection and financial transaction integrity under such regulations.

Proper verification of webhook notifications is critical to prevent unauthorized access and ensure compliance with security requirements that underpin many regulatory frameworks.

Impact Analysis

This vulnerability can lead to unauthorized activation of paid membership subscriptions without actual payment.

Attackers can gain access to paid or gated content fraudulently, potentially causing financial losses to the site owner.

It may also damage the reputation of the affected website due to fraudulent access and misuse of services.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or forged PayPal webhook events sent to the User Registration & Membership plugin's webhook endpoint. Specifically, look for webhook requests that activate paid membership subscriptions without corresponding legitimate payments.

Since the plugin does not verify webhook signatures, you can inspect incoming webhook HTTP requests to the plugin's webhook route for suspicious or unexpected payloads, especially those that reference pending orders.

Commands to help detect this might include using web server logs or network traffic capture tools to filter for POST requests to the webhook endpoint. For example, using grep on Apache or Nginx logs:

  • grep 'POST /path-to-webhook-endpoint' /var/log/apache2/access.log
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Additionally, reviewing the plugin's database entries for subscriptions that changed from pending to active without corresponding payment confirmation timestamps may help identify exploitation.

Mitigation Strategies

The immediate and most effective mitigation is to update the User Registration & Membership WordPress plugin to version 5.2.2 or later, where the vulnerability has been fixed by enforcing proper verification of PayPal webhook signatures.

If updating immediately is not possible, consider temporarily disabling the plugin's webhook processing or restricting access to the webhook endpoint to trusted IP addresses to prevent unauthorized webhook events.

Additionally, monitor your membership subscriptions for any suspicious activations that do not correspond to real payments and revoke unauthorized memberships if detected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11964. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart