WordPress Plugin Vulnerabilities
User Registration & Membership < 5.2.3 - Unauthenticated Limited User Deletion via Stripe Subscription Handler
Description
The plugin does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pending user accounts.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
IDOR
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Púa - devploit
Submitter
Daniel Púa - devploit
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-26 (about 21 days ago)
Added
2026-06-26 (about 20 days ago)
Last Updated
2026-06-26 (about 20 days ago)