Description
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin.
Published: 2025-05-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Account Deletion
Action: Apply Patch
AI Analysis

Impact

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CWE-639) in the create_stripe_subscription() function. Because the plugin does not validate the member_id parameter supplied by the user, an attacker who is not authenticated can request that the function delete any user account that was registered through the plugin. This deletion removes the user’s data and credentials, potentially disrupting site functionality and allowing the attacker to compromise the reputation of the site’s user base.

Affected Systems

WordPress installations that use the User Registration & Membership plugin version 4.2.1 or earlier are affected. The vulnerability exists in the membership component of the plugin, and any site that has installed or activated this plugin version is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity, and the EPSS score is reported as less than 1 %, implying a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be an unauthenticated HTTP request to the plugin’s AJAX endpoint, where the attacker provides a crafted member_id value. Since the function accepts the parameter without checks, the deletion proceeds without authentication.

Generated by OpenCVE AI on April 28, 2026 at 11:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Registration & Membership plugin to the latest released version that includes a fix for the vulnerable create_stripe_subscription() function.
  • If an upgrade is not possible, restrict access to the AJAX endpoint that processes create_stripe_subscription() by denying all non‑admin requests or by enforcing proper authentication checks before allowing deletion.
  • Modify the create_stripe_subscription() function to validate the member_id parameter against the authenticated user’s ID or ensure that the user has privileged status before performing deletion.

Generated by OpenCVE AI on April 28, 2026 at 11:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13565 The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00047}

 epss

{'score': 0.00049}

Tue, 06 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 May 2025 07:45:00 +0000

Type Values Removed Values Added
Description The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the create_stripe_subscription() function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that have registered through the plugin.
Title User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.2.1 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:47.691Z

Reserved: 2025-04-04T15:15:57.202Z

Link: CVE-2025-3281

cve-icon Vulnrichment

Updated: 2025-05-06T13:25:20.792Z

cve-icon NVD

Status : Deferred

Published: 2025-05-06T08:15:16.707

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:30:29Z

Weaknesses