CVE-2026-11966
Description
The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pending user accounts.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | User Registration & Membership | — | 4.2.3 < 5.2.3 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-639 Authorization Bypass Through User-Controlled Key |