Summary
CVE-2026-11964 is an unauthenticated PayPal webhook signature verification bypass in the User Registration & Membership WordPress plugin, affecting all versions prior to 5.2.2. An attacker can send forged PayPal webhook notifications to the plugin's endpoint without valid cryptographic verification, tricking the site into activating a paid membership tier without completing an actual payment.
- CVSS Score: 6.5 (Medium)
- CWE: CWE-287 — Improper Authentication
- Authentication Required: None
- User Interaction: None
- Patched In: Version 5.2.2
Technical Details
The plugin exposes a webhook endpoint for receiving payment notifications from PayPal. Before acting on an incoming notification — such as activating a paid membership — the plugin should verify the notification's authenticity by comparing a signature or checking the payload with PayPal's API. In versions before 5.2.2, this verification step is absent.
Any unauthenticated attacker who can discover the webhook URL can craft a forged HTTP request mimicking a successful PayPal payment event. The plugin processes the fake notification and grants the attacker a premium membership subscription at no cost.
The vulnerability was discovered by Alessandro Greco (alias Aleff) and Giovanbattista Ianni of the University of Calabria (UNICAL) and published on June 22, 2026.
Affected Component
| Detail | Value |
|---|---|
| Plugin | User Registration & Membership |
| Affected Versions | All versions < 5.2.2 |
| Attack Vector | Network (unauthenticated HTTP request) |
| Impact | Unauthorized membership activation — free access to paid tiers |
Context: Recurring Issues in This Plugin
CVE-2026-11964 is the third serious vulnerability in this plugin in 2026 alone:
- CVE-2026-1492 (CVSS 9.8 Critical): Full admin account creation via privilege escalation
- CVE-2026-1779: Authentication bypass
- CVE-2026-11964: PayPal webhook signature verification bypass
This pattern indicates the plugin is actively targeted by automated vulnerability scanners and warrants urgent review by any site using it.
Impact
Exploitation allows any external actor to obtain premium or paid membership access on any affected WordPress site without paying. Beyond direct financial loss, the integrity of the site's membership system is compromised — other paying members may lose confidence, and the site operator may face chargebacks or disputes.
Remediation
Update immediately to User Registration & Membership version 5.2.2 or later.
After updating:
- Audit user accounts for any memberships activated during the exposure window — flag accounts with no associated payment record.
- Rotate credentials for admin accounts and revoke any suspicious sessions.
- Review PayPal webhook logs in the PayPal dashboard to identify suspicious notification patterns.
- Enable server-side signature verification if the updated plugin provides a configuration toggle for it.