External risk intelligence

User Registration Membership Plugin Forges Payment Approval

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-11964

This vulnerability affects a WordPress plugin, a type of software commonly deployed as part of public-facing web applications. The specific flaw involves payment-provider webhooks, which are designed to receive incoming network traffic from external services, making the vulnerable endpoint reachable from the internet in standard configurations.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in a WordPress plugin that handles user registration and membership payments. The flaw allows unauthenticated attackers to bypass payment verification, potentially enabling them to activate paid subscriptions without making a real payment. The main concern is confirming relevance and exposure to the affected plugin.

  • Attackers can fake payment approval for subscriptions.
  • It impacts revenue and customer trust if exploited.
  • Verify plugin usage and confirm exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by sending a forged notification to a website using the vulnerable plugin. This notification would mimic a successful payment from a payment provider, tricking the plugin into granting a paid membership without any actual payment being made. This could lead to unauthorized access to premium features or content.

  • No authentication needed to attack.
  • Forge payment provider webhook.
  • Gain unauthorized paid access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated attackers to bypass payment verification and activate paid membership subscriptions. When supported by the advisory, this could affect user account status and potentially lead to unauthorized access to premium features.

  • User membership subscriptions.
  • Forging payment-approved notifications.
  • Unauthorized access to paid features.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are most likely responsible for addressing this vulnerability within their WordPress environments. The first practical step is to identify all instances of the affected plugin, assess their reachability and business criticality, and confirm the accountable owner before planning remediation.

  • Application owners should own the issue.
  • Verify plugin reachability and business criticality.
  • Plan remediation based on exposure risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the User Registration & Membership plugin?

It is a WordPress extension designed to manage site memberships and user accounts. It specifically automates the subscription process by integrating with external payment providers to track when users sign up and pay for premium access or content.

How does CVE-2026-11964 allow unauthorized access?

The plugin suffers from an Improper Authentication vulnerability. It fails to verify that incoming webhook notifications—signals sent from a payment service to your site—actually originated from that trusted service, allowing attackers to fake successful payment events.

Do I need to do anything if my site does not use paid memberships?

If your site does not use this plugin to process payment-provider webhooks, the specific trigger path for this vulnerability does not apply. The bug requires the plugin to be actively receiving and processing these external notifications to function.

Is my site at risk if it uses this plugin?

According to Halo Surface Signal, this risk is categorized as Likely because the plugin's payment-webhook feature is designed to be reachable from the internet. If the plugin is installed and active on a public-facing WordPress site, it is inherently exposed to external network traffic.

What should I do first to address this CVE?

Begin by auditing your WordPress environment to identify if this specific plugin is installed. Once located, evaluate if the site relies on paid memberships, confirm who is responsible for the site's maintenance, and check for available plugin updates to resolve the flaw.

References