CVE Catalog

CVE-2026-1869

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

The User Registration & Membership plugin for WordPress up to version 5.2.0 contains a vulnerability due to missing validation in the confirm_payment() function. This allows unauthenticated attackers to bypass payment processing and activate paid memberships.

Risk Assessment

The organization may suffer financial losses due to unauthorized access to paid features and compromise of subscription data integrity.

Recommendation

Immediately update the plugin to the latest available version that includes a fix for this vulnerability.

Original NVD description (English source)

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing validation checks in the confirm_payment() function in all versions up to, and including, 5.2.0. This makes it possible for unauthenticated attackers to bypass payment processing and activate paid memberships.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS