Primary

Context

User Registration and Membership WordPress Plugin Insecure Direct Object Reference Vulnerability

Vulnerability

Patched

A vulnerability allowing Insecure Direct Object Reference has been identified in the User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress. This issue affects all versions through 4.1.3. The vulnerability arises in the user_registration_membership_register_member() function, where there is a lack of proper validation on the 'membership_id' key, which is controlled by users. As a result, unauthenticated attackers can manipulate membership types for any user, changing them to any active or inactive membership.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user membership types, potentially leading to unauthorized access to membership-based features or content.

Remediation

Users are advised to update the User Registration & Membership plugin to version 4.1.4 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

User Registration and Membership WordPress Plugin Insecure Direct Object Reference Vulnerability

Vulnerability

Impact

Remediation

Affected Products

User Registration & Membership

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating