User Registration & Membership < 5.2.0 – Unauthenticated Paid Membership Bypass | CVE 2026-11965

Description

The plugin does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

Proof of Concept

The PoC will be displayed on July 02, 2026, to give users the time to update.

Affects Plugins

user-registration

Fixed in 5.2.0

References

CVE

CVE-2026-11965

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

CVSS

6.5 (medium)

Miscellaneous

Original Researcher

John Umoru

Submitter

John Umoru

Submitter website

https://github.com/johnumorujo

Submitter twitter

johnumorujo

Verified

Yes

WPVDB ID

49f4c59e-5931-405d-8518-244531bbc889

Timeline

Publicly Published

2026-06-11 (about 2 days ago)

Added

2026-06-11 (about 1 day ago)

Last Updated

2026-06-11 (about 1 day ago)

Other

Published

Title

Published

2025-07-11

Title

Simple Link Directory < 14.8.1 - Authentication Bypass

Published

2020-02-16

Title

ThemeGrill Demo Importer < 1.6.3 - Auth Bypass & Database Wipe

Published

2023-01-27

Title

ContentStudio < 1.2.6 - Authorisation Bypass

Published

2025-12-12

Title

Ninja Forms < 3.13.3 - Unauthenticated Token Generation and Submission Disclosure

Published

2025-06-26

Title

Simple Payment 1.3.6 - 2.3.8 - Authentication Bypass to Admin