CVE-2026-11966
Received Received - Intake

Unauthenticated User Account Deletion in User Registration & Membership WordPress Plugin

Vulnerability report for CVE-2026-11966, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: WPScan

Description

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pending user accounts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpbeaver the_user_registration_and_membership_plugin to 5.2.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated limited user deletion flaw in the User Registration & Membership WordPress plugin before version 5.2.3. It allows attackers to delete recently-registered user accounts that are in a payment-pending state by exploiting a missing capability check in a membership payment action. The attack involves supplying a user identifier and forcing a Stripe API failure, which triggers an exception handler that deletes the targeted user.

Detection Guidance

Check if the User Registration & Membership WordPress plugin is installed and verify its version. If it is below 5.2.3, the vulnerability may exist. Inspect server logs for unusual user deletion requests or failed Stripe API calls associated with user accounts.

Impact Analysis

If you use the affected plugin version, attackers could delete user accounts that have not yet completed payment. This could disrupt legitimate user registrations, cause data loss for pending users, and potentially affect business operations relying on user accounts.

Compliance Impact

This vulnerability could potentially affect compliance with GDPR and HIPAA by allowing unauthorized deletion of user accounts. Under GDPR, users have the right to erasure, but unauthorized deletion by attackers may violate data integrity and accountability requirements. HIPAA requires protection of patient data, and unauthorized account deletion could disrupt access controls.

Mitigation Strategies

Update the User Registration & Membership plugin to version 5.2.3 or later immediately. If updating is not possible, disable the plugin temporarily until an update is applied. Review user accounts for unauthorized deletions and monitor for suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart