CVE-2026-11963
The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and
CVSS
8.1
High
EPSS
0.2%
p10
KEV
—
Exploit Today
3
0-100
Published: Jul 13, 2026 · Last modified: Jul 13, 2026
0.1%EPSS · 30 days0.2%
2026-07-132026-07-17
The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change another user's WordPress role and membership tier.
No related CVEs by CWE or product.