CVE-2026-7651 - Vulnerability Details

- User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter

Description

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.

Published: 2026-05-28

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the User Registration & Membership plugin arises from missing ownership validation on a user‑controlled attachment ID. Because the plugin accepts a 'profile-pic-url' parameter without checking that the referenced media belongs to the requester, an authenticated user can trigger the plugin to delete any media attachment on the site.

Affected Systems

This flaw impacts every release of the plugin up to and including version 5.1.5 of the wpeverest WordPress User Registration & Membership plugin. Users with subscriber-level access or higher, as well as administrators, are potentially affected and can experience permanent loss of media attachments.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity; EPSS is not available and the vulnerability is not listed in CISA KEV. Attackers need only be authenticated and possess subscriber or higher privileges; no remote code execution or core compromise is required. The primary consequence is the irreversible deletion of user media, compromising site content integrity and availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpeverest

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.1.5

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpeverest

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

100%

Version	Status	Scheme	Platform
`[0,5.1.5]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the User Registration & Membership plugin to version 5.2.0 or later, which removes the missing ownership validation.
If an upgrade is not immediately feasible, remove or disable the 'profile-pic-url' endpoint or restrict its use to administrator roles.
Review and tighten user role permissions to ensure that only administrators can delete media attachments, and audit WordPress for similar insecure endpoints.

Generated by OpenCVE AI on May 28, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L114
https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L86
https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-core.php#L4262
https://plugins.trac.wordpress.org/changeset/3539426/user-registration/tags/5.2.0/includes/frontend/class-ur-frontend.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/0def7637-edf4-4ae2-a2e7-31ccb3b52d71?source=cve

History

Thu, 28 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpeverest Wpeverest user Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vendors & Products		Wordpress Wordpress wordpress Wpeverest Wpeverest user Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

Thu, 28 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.
Title		User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L114 https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L86 https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-core.php#L4262 https://plugins.trac.wordpress.org/changeset/3539426/user-registration/tags/5.2.0/includes/frontend/class-ur-frontend.php https://www.wordfence.com/threat-intel/vulnerabilities/id/0def7637-edf4-4ae2-a2e7-31ccb3b52d71?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Wpeverest User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-28T06:45:39.071Z

Updated: 2026-05-28T10:35:35.907Z

Reserved: 2026-05-01T17:52:19.314Z

Link: CVE-2026-7651

Vulnrichment

Updated: 2026-05-28T10:35:30.229Z

NVD

Status : Deferred

Published: 2026-05-28T08:16:37.117

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-7651

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T09:00:10Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object