CVE-2026-11965
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The User Registration & Membership WordPress plugin before version 5.2.0 does not enforce payment completion before activating a paid membership subscription. This allows unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.
Risk Assessment
The organization faces financial loss and business model compromise, as unauthorized users can access paid content without payment, undermining the subscription system's integrity.
Recommendation
Immediately update the User Registration & Membership plugin to version 5.2.0 or later, which enforces payment completion before subscription activation.
Original NVD description (English source)
The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

