What the vulnerability does
01Description
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.
Explanation of Vulnerability in Simple Terms
02Summary
User Registration & Membership plugin for WordPress versions 5.1.2 and earlier contains an authentication bypass vulnerability. An attacker can gain unauthorized access to user accounts and sensitive data without valid credentials. The vulnerability requires specific network conditions to exploit but does not require user interaction. Site administrators should update immediately to a version newer than 5.1.2.
What an attacker can do
03Attacker Capabilities
Bypass authentication and gain unauthorized access to user accounts and sensitive site data.
Potential impact on your site
04Site Impact
User accounts and sensitive data are at risk of unauthorized access and modification.
Conditions required to exploit
05Prerequisites
Network access to the site; no user credentials or interaction required.
Key dates
06Disclosure timeline
February 26, 2026
CVE published
April 8, 2026
Record updated