CVE-2026-7651

Vulnerability

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) in all versions up to and including 5.1.5. The plugin fails to validate that an attachment ID submitted by a user belongs to that user when storing and subsequently deleting media attachments. This is due to missing ownership checks on a user-controlled attachment ID in the file handling routines, as seen in references [1], [2], [3], and [4].

Exploitation

An authenticated attacker with subscriber-level access or above can exploit this vulnerability by sending a crafted request that includes an attachment ID belonging to another user (including administrators). The attacker does not need any special privileges beyond a subscriber account. The plugin will accept the attachment ID and later delete the corresponding media file without verifying ownership, leading to permanent removal of the attachment.

Impact

Successful exploitation allows an authenticated attacker to permanently delete arbitrary media attachments uploaded by any other user, including those uploaded by administrators. This results in loss of data (integrity and availability) and can disrupt site content or user-uploaded files. The vulnerability does not disclose information or allow code execution, but the destructive effect on files can be significant for sites relying on media uploads.

Mitigation

The vulnerability has been patched in version 5.2.0, as indicated by the changeset in reference [4]. Users should update to version 5.2.0 or later immediately. No workaround is available for versions prior to 5.2.0. The plugin is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.