Volerion logoVolerion
Volerion logoVolerion

User Registration and Membership Plugin Authentication Bypass Vulnerability

Vulnerability

A vulnerability allowing authentication bypass has been identified in the User Registration & Membership plugin for WordPress, affecting versions through 5.1.2. The issue arises from improper authentication in the 'register_member' function, which enables unauthenticated attackers to log in newly registered users who have the 'urm_user_just_created' user meta attribute.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass authentication and log in as newly registered users with the 'urm_user_just_created' meta attribute.

Reproduction

To reproduce this vulnerability, register a new user while ensuring that the 'urm_user_just_created' user meta is set. After registration, an unauthenticated user can exploit the authentication bypass by sending a request to the 'register_member' AJAX action, which will log them in as the newly created user.

Remediation

Users are advised to update the User Registration & Membership plugin to version 5.1.3 or later.

Added: Feb 26, 2026, 11:02 AM
Updated: Feb 26, 2026, 11:02 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
1.3
exploitability
9.3
remediation
7.7
relevance
3.2
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.