What the vulnerability does
01Description
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.
Explanation of Vulnerability in Simple Terms
02Summary
A vulnerability in wpeverest's User Registration & Membership plugin allows attackers to modify data without authentication. The flaw affects versions up to 5.1.5 and requires only network access to exploit. Site administrators should update immediately to prevent unauthorized changes to user registrations, memberships, or related plugin data.
What an attacker can do
03Attacker Capabilities
Modify user registration, membership, or plugin data without logging in.
Potential impact on your site
04Site Impact
Attackers can alter user accounts, memberships, subscriptions, or registration data on your site.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 28, 2026
CVE published
May 28, 2026
Record updated