Attack Vectors
CVE-2026-2356 is a medium-severity vulnerability (CVSS 5.3) in the WordPress plugin User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder (slug: user-registration) affecting versions <= 5.1.2.
An unauthenticated attacker can exploit an Insecure Direct Object Reference (IDOR) condition via the plugin’s register_member function. Because a user-controlled key (member_id) is not properly validated, an attacker can target and delete certain user accounts—specifically accounts that have newly registered and have the urm_user_just_created user meta set.
Public CVE record: https://www.cve.org/CVERecord?id=CVE-2026-2356
Security Weakness
This issue is a classic Broken Access Control / IDOR scenario: the plugin allows a request to reference an object (a user account) using an identifier that the requester can manipulate, without sufficient checks to ensure the requester is allowed to perform the action.
According to the published advisory, the weakness stems from missing validation on the member_id parameter in register_member, enabling account deletion under the conditions described above. Vendor/advisory source: Wordfence vulnerability entry.
Severity context: While rated Medium, the business risk can be meaningful for sites that rely on registrations (lead gen, member portals, subscriptions) because the attack requires no login and can directly undermine user onboarding.
Technical or Business Impacts
Account deletion of new registrants: Legitimate users who register may have their accounts removed before they can verify email, complete onboarding, purchase, or access member-only content. This can create a measurable drop in conversion rates and subscription starts.
Brand and customer trust impact: Registration failures and “missing account” experiences increase support tickets and can damage trust—especially for membership, education, and community-driven brands where the first session matters.
Operational and compliance considerations: Lost account records can complicate audits of onboarding flows, consent capture, and membership fulfillment processes. Even when confidentiality is not directly impacted (CVSS indicates no confidentiality impact), availability/integrity of user records can still create compliance and contractual friction.
Recommended remediation: Update the User Registration & Membership plugin to version 5.1.3 or newer (patched). After updating, consider reviewing recent registration and deletion activity to identify abnormal patterns around newly created users (especially if you run time-sensitive campaigns tied to sign-ups).
Similar Attacks
IDOR/Broken Access Control issues are a common cause of unauthorized actions (including unintended changes or deletions) because they exploit predictable identifiers combined with missing authorization checks. For additional context and real-world examples in learning resources, see:
PortSwigger: Insecure direct object references (IDOR)
OWASP Top 10: Broken Access Control
OWASP API Security Top 10: Broken Object Level Authorization (BOLA)
Recent Comments