An unauthenticated attacker can exploit the User Registration & Membership plugin by sending a request to the confirm_payment() endpoint, which lacks proper authorization checks. This flaw allows the attacker to change payment status and activate paid memberships without completing the actual payment transaction. The weakness is classified as CWE-862, Missing Authorization, and can lead to unauthorized access to premium content, loss of revenue, and user data exposure due to elevated privileges.

The vulnerability affects the WordPress plugin "User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder" developed by WPEverest. All released versions up to and including 5.2.0 are impacted. Sites running WordPress with this plugin and relying on its paid membership features are susceptible.

The CVSS score of 6.5 classifies the flaw as medium severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request to the confirm_payment endpoint, enabling attackers to bypass payment processing entirely. As the flaw does not require user credentials, any web‑accessible site using the affected plugin is at risk. The absence of exploit data suggests the vulnerability is not yet widely exploited, but the potential impact warrants immediate attention.