WordPress Plugin Vulnerabilities
User Registration & Membership < 5.2.2 - Unauthenticated PayPal Webhook Signature Verification Bypass Leading to Membership Activation
Description
The plugin does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without completing a real payment.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
AUTHBYPASS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Alessandro Greco aka Aleff, Giovanbattista Ianni (University of Calabria - UNICAL)
Submitter
Alessandro Greco aka Aleff
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-22 (about 11 days ago)
Added
2026-06-22 (about 10 days ago)
Last Updated
2026-06-22 (about 10 days ago)