What the vulnerability does
01Description
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin.
Explanation of Vulnerability in Simple Terms
02Summary
A vulnerability in User Registration & Membership allows attackers to modify data without authentication. The flaw affects versions up to 4.2.1 and requires only network access to exploit. Site administrators should update immediately to prevent unauthorized changes to user registration, membership, or profile information.
What an attacker can do
03Attacker Capabilities
Modify user registration, membership, or profile data without logging in.
Potential impact on your site
04Site Impact
Attackers can alter user accounts, memberships, or registration data on your site without permission.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 6, 2025
CVE published
April 8, 2026
Record updated