CVE Catalog

CVE-2026-11965

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile — higher than 3% of all known CVEs

Summary

The User Registration & Membership WordPress plugin before version 5.2.0 does not enforce payment completion before activating a paid membership subscription. This allows unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

Risk Assessment

The organization faces financial loss and business model compromise, as unauthorized users can access paid content without payment, undermining the subscription system's integrity.

Recommendation

Immediately update the User Registration & Membership plugin to version 5.2.0 or later, which enforces payment completion before subscription activation.

Original NVD description (English source)

The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS