Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1880+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-11964: WordPress User Registration Plugin PayPal Webhook Bypass
CVE-2026-11964: WordPress User Registration Plugin PayPal Webhook Bypass
SECURITYMEDIUMCVE-2026-11964

CVE-2026-11964: WordPress User Registration Plugin PayPal Webhook Bypass

The User Registration & Membership WordPress plugin before 5.2.2 fails to verify PayPal webhook signatures, allowing unauthenticated attackers to forge payment events and gain free premium memberships.

Dylan H.

Security Team

July 13, 2026
3 min read

Affected Products

  • WordPress User Registration & Membership plugin < 5.2.2

Summary

CVE-2026-11964 is an unauthenticated PayPal webhook signature verification bypass in the User Registration & Membership WordPress plugin, affecting all versions prior to 5.2.2. An attacker can send forged PayPal webhook notifications to the plugin's endpoint without valid cryptographic verification, tricking the site into activating a paid membership tier without completing an actual payment.

  • CVSS Score: 6.5 (Medium)
  • CWE: CWE-287 — Improper Authentication
  • Authentication Required: None
  • User Interaction: None
  • Patched In: Version 5.2.2

Technical Details

The plugin exposes a webhook endpoint for receiving payment notifications from PayPal. Before acting on an incoming notification — such as activating a paid membership — the plugin should verify the notification's authenticity by comparing a signature or checking the payload with PayPal's API. In versions before 5.2.2, this verification step is absent.

Any unauthenticated attacker who can discover the webhook URL can craft a forged HTTP request mimicking a successful PayPal payment event. The plugin processes the fake notification and grants the attacker a premium membership subscription at no cost.

The vulnerability was discovered by Alessandro Greco (alias Aleff) and Giovanbattista Ianni of the University of Calabria (UNICAL) and published on June 22, 2026.

Affected Component

DetailValue
PluginUser Registration & Membership
Affected VersionsAll versions < 5.2.2
Attack VectorNetwork (unauthenticated HTTP request)
ImpactUnauthorized membership activation — free access to paid tiers

Context: Recurring Issues in This Plugin

CVE-2026-11964 is the third serious vulnerability in this plugin in 2026 alone:

  • CVE-2026-1492 (CVSS 9.8 Critical): Full admin account creation via privilege escalation
  • CVE-2026-1779: Authentication bypass
  • CVE-2026-11964: PayPal webhook signature verification bypass

This pattern indicates the plugin is actively targeted by automated vulnerability scanners and warrants urgent review by any site using it.

Impact

Exploitation allows any external actor to obtain premium or paid membership access on any affected WordPress site without paying. Beyond direct financial loss, the integrity of the site's membership system is compromised — other paying members may lose confidence, and the site operator may face chargebacks or disputes.

Remediation

Update immediately to User Registration & Membership version 5.2.2 or later.

After updating:

  1. Audit user accounts for any memberships activated during the exposure window — flag accounts with no associated payment record.
  2. Rotate credentials for admin accounts and revoke any suspicious sessions.
  3. Review PayPal webhook logs in the PayPal dashboard to identify suspicious notification patterns.
  4. Enable server-side signature verification if the updated plugin provides a configuration toggle for it.

References

  • WPScan — WPVDB faf55649
  • NVD — CVE-2026-11964
  • BitNinja Security Alert
#CVE#WordPress#Vulnerability#Payment Security#Authentication Bypass

Related Articles

CVE-2026-13019: Esri ArcGIS Portal Critical Unauthenticated API Access

A critical missing authentication vulnerability in Esri Portal for ArcGIS 12.1 and earlier allows remote unauthenticated attackers to access protected API...

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read

CVE-2026-14198: Fastify Middie Middleware Path Bypass (CVSS 9.1)

Critical path bypass vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 allows attackers to evade middleware protection by exploiting a %2F...

5 min read
Back to all Security Alerts