Primary

Context

User Registration and Membership WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthenticated User Deletion

Vulnerability

Patched

A vulnerability exists in the User Registration & Membership WordPress plugin, specifically in versions through 5.1.2. The issue arises from an Insecure Direct Object Reference (IDOR) in the 'register_member' function, where the 'member_id' key, controlled by the user, lacks proper validation. This flaw enables unauthenticated attackers to delete user accounts of individuals who have recently registered and possess the 'urm_user_just_created' user meta.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of user accounts, specifically those that have recently registered and have a certain user meta value set.

Remediation

Users can update to version 5.1.3 or a newer patched version to address this vulnerability.

Added: Feb 26, 2026, 11:21 AM

Updated: Feb 26, 2026, 11:21 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.7

remediation

7.7

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.7

remediation

7.7

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

User Registration and Membership WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthenticated User Deletion

Vulnerability

Impact

Remediation

Affected Products

WPEverest User Registration & Membership

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating