CVE-2026-2356
User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion
mediumImproper Access Control
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
5.1.3
Patched in
1d
Time to patch
Description
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NAttack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability
Technical Details
Affected versions
<=5.1.2PublishedFebruary 25, 2026
Last updatedFebruary 26, 2026
Affected pluginuser-registration
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.