CVE-2026-7651

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L114
https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L86
https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-core.php#L4262
https://plugins.trac.wordpress.org/changeset/3539426/user-registration/tags/5.2.0/includes/frontend/class-ur-frontend.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/0def7637-edf4-4ae2-a2e7-31ccb3b52d71?source=cve

Configurations

No configuration.

History

28 May 2026, 08:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-28 08:16

Updated : 2026-05-28 13:45

NVD link : CVE-2026-7651

Mitre link : CVE-2026-7651

CVE.ORG link : CVE-2026-7651

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-7651", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-05-28T08:16:37.117", "references": [{"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L114", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L86", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-core.php#L4262", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3539426/user-registration/tags/5.2.0/includes/frontend/class-ur-frontend.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0def7637-edf4-4ae2-a2e7-31ccb3b52d71?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The User Registration & Membership \u2013 Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators."}], "lastModified": "2026-05-28T13:45:25.260", "sourceIdentifier": "security@wordfence.com"}