CVE-2026-1869
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
The User Registration & Membership plugin for WordPress up to version 5.2.0 contains a vulnerability due to missing validation in the confirm_payment() function. This allows unauthenticated attackers to bypass payment processing and activate paid memberships.
Risk Assessment
The organization may suffer financial losses due to unauthorized access to paid features and compromise of subscription data integrity.
Recommendation
Immediately update the plugin to the latest available version that includes a fix for this vulnerability.
Original NVD description (English source)
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing validation checks in the confirm_payment() function in all versions up to, and including, 5.2.0. This makes it possible for unauthenticated attackers to bypass payment processing and activate paid memberships.

