WordPress Plugin Vulnerabilities

User Registration & Membership < 5.2.2 - Unauthenticated PayPal Webhook Signature Verification Bypass Leading to Membership Activation

Description

The plugin does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without completing a real payment.

Proof of Concept

Affects Plugins

Fixed in 5.2.2

References

Classification

Miscellaneous

Original Researcher
Alessandro Greco aka Aleff, Giovanbattista Ianni (University of Calabria - UNICAL)
Submitter
Alessandro Greco aka Aleff
Verified
Yes

Timeline

Publicly Published
2026-06-22 (about 11 days ago)
Added
2026-06-22 (about 10 days ago)
Last Updated
2026-06-22 (about 10 days ago)

Other