{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2356", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-11T16:54:51.661Z", "datePublished": "2026-02-26T02:23:55.847Z", "dateUpdated": "2026-04-08T17:13:17.648Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:17.648Z"}, "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set."}], "title": "User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a1ccb2-4f78-4855-a01d-b15f73407822?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.1/modules/membership/includes/AJAX.php#L142"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-02-11T17:11:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-25T13:29:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:41:43.910634Z", "id": "CVE-2026-2356", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:41:55.080Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:41:43.910634Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:41:49.306Z"}}], "cna": {"title": "User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpeverest", "product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-11T17:11:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-25T13:29:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a1ccb2-4f78-4855-a01d-b15f73407822?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.1/modules/membership/includes/AJAX.php#L142"}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:17.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2356", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:17.648Z", "dateReserved": "2026-02-11T16:54:51.661Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-26T02:23:55.847Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set."}, {"lang": "es", "value": "El plugin User Registration &amp; Membership \u2013 Custom Registration Form, Login Form, and User Profile para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 5.1.2, inclusive, a trav\u00e9s de la funci\u00f3n 'register_member', debido a la falta de validaci\u00f3n en la clave 'member_id' controlada por el usuario. Esto hace posible que atacantes no autenticados eliminen cuentas de usuario arbitrarias que se registraron recientemente en el sitio y que tienen configurado el metadato de usuario 'urm_user_just_created'."}], "id": "CVE-2026-2356", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-26T03:16:05.293", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.1/modules/membership/includes/AJAX.php#L142"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a1ccb2-4f78-4855-a01d-b15f73407822?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder", "source": "cna", "vendor": "wpeverest"}, "product": "user_registration_&_membership_\u2013_free_&_paid_memberships,_subscriptions,_content_restriction,_user_profile,_custom_user_registration_&_login_builder", "vendor": "wpeverest"}], "analysis": {"en": {"generated_at": "2026-04-15T18:02:40.914486+00:00", "value": {"mitigation_remediation": ["Update the User Registration & Membership plugin to the latest stable release, which includes the fix for the member_id validation issue.", "If an update cannot be applied immediately, remove or restrict the register_member AJAX handler so that it can only be called by authenticated administrators, for example by adding role checks or disabling the action entirely.", "Add custom server\u2011side validation to reject any deletion request made by a non\u2011administrator or to exclude users that have the 'urm_user_just_created' meta, unless explicit permission is granted."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Deletion of Newly Registered User Accounts"}, "threat_synthesis": {"affected_systems": "All WordPress installations running the wpeverest User Registration & Membership plugin version 5.1.2 or earlier are vulnerable. The affected component is the plugin\u2019s register_member AJAX handler, which is exposed to unauthenticated web traffic.", "description_and_impact": "The User Registration & Membership plugin for WordPress is affected by an Insecure Direct Object Reference flaw in the register_member function. The member_id parameter is not subject to any server\u2011side validation, allowing any user to supply the identifier of a new account that still carries the special 'urm_user_just_created' meta field and have that account removed. The vulnerability does not expose user credentials or sensitive data, but it does enable an attacker to silently delete user accounts, potentially disrupting service, losing content, and forcing legitimate users to re\u2011register.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request that invokes the register_member AJAX endpoint with a crafted member_id value. An attacker does not need authentication, making exploitation simple but limited to accounts that still possess the 'urm_user_just_created' meta tag."}}}}, "created": "2026-02-26T13:09:47.270775+00:00", "updated": "2026-04-15T18:15:10.812786+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpeverest", "wpeverest$PRODUCT$user_registration_&_membership_\u2013_free_&_paid_memberships,_subscriptions,_content_restriction,_user_profile,_custom_user_registration_&_login_builder"]}