CVE-2026-7651: WordPress Membership Plugin IDOR Allows Unauthorized Attachment Deletion
A widely-used WordPress membership plugin contains a flaw that allows any logged-in user with basic subscriber privileges to delete media files (images, documents, etc.) that belong to other users, including administrators. The plugin fails to verify ownership before allowing deletion, meaning an attacker could systematically destroy important content without authorization. This affects all versions up to 5.1.5.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7651 is an Insecure Direct Object Reference (IDOR) vulnerability in the User Registration & Membership plugin for WordPress. The vulnerability stems from insufficient access control on an attachment deletion function. When a user initiates a delete operation, the plugin accepts a user-supplied attachment ID parameter without validating that the authenticated user owns or has permission to delete the referenced attachment. An attacker can enumerate or guess valid attachment IDs and delete arbitrary media objects. The vulnerability requires valid WordPress authentication but no elevated privileges—subscriber-level access is sufficient.
Business impact
Organizations running this plugin face uncontrolled data destruction risk. An attacker with even minimal WordPress access (e.g., a compromised low-privilege account) can permanently delete critical media assets—marketing materials, legal documents, product images, user-submitted content—without audit trail protection or recovery. This combines confidentiality loss (loss of content) with integrity and availability damage. For membership-driven sites, loss of course materials or membership-exclusive media could disrupt revenue streams and trigger compliance violations if regulated data is destroyed.
Affected systems
All installations of the User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin running version 5.1.5 or earlier are vulnerable. The plugin is hosted on the WordPress.org plugin repository and is likely deployed across thousands of WordPress sites. Any WordPress installation with this plugin and multiple user accounts (including subscriber-level users or compromised accounts) is at risk.
Exploitability
Exploitability is straightforward for attackers with valid WordPress credentials. The vulnerability requires no authentication bypass, no complex interaction, and no user-assistance. A malicious insider, compromised subscriber account, or attacker who has obtained low-level WordPress credentials can immediately begin deleting arbitrary attachments. The attack surface is broad—any attachment ID on the site can be targeted. However, the attack is limited to authenticated users; external, unauthenticated attackers cannot exploit this directly. The CVSS score of 5.3 (Medium) reflects the requirement for prior authentication, though the ease of exploitation once authenticated is notable.
Remediation
Upgrade to a patched version of the plugin. Check the plugin's official repository and release notes for the first version that addresses this IDOR flaw—verify against the vendor's security advisory for the exact patched version. In the interim, restrict subscriber-level user creation and audit existing subscriber accounts for suspicious activity. Consider using WordPress security plugins to monitor file deletion events or implement additional access controls at the server level if the plugin cannot be patched immediately. Backup all media regularly to enable recovery if deletion occurs.
Patch guidance
Visit the WordPress plugin repository page for User Registration & Membership and update to the latest available version. The vendor should have released a patched version after May 28, 2026 (the vulnerability publication date). Verify the patch notes confirm that ownership validation has been added to the attachment deletion function. Test the patch in a staging environment before deploying to production to ensure compatibility with your site configuration. After patching, audit your media library for unexpected deletions.
Detection guidance
Monitor WordPress media deletion logs and audit trails. Look for bulk or unusual deletion patterns, especially deletions by low-privilege accounts affecting media owned by administrators or other users. Enable WordPress audit logging (via security plugins like Wordfence or Audit Log) to capture which user deleted which attachments and when. Check your site's database for deletion timestamps that correlate with suspicious user activity. Review user session logs to identify any unusual or unauthorized access patterns. If using a Web Application Firewall (WAF), monitor for repeated requests to attachment deletion endpoints with different ID parameters—this may indicate enumeration or automated attacks.
Why prioritize this
Although the CVSS score is Medium (5.3), this vulnerability warrants swift prioritization because: (1) it requires only basic authentication, not complex exploitation; (2) the impact is permanent data loss, which can have severe business and legal consequences; (3) the plugin is publicly available and widely deployed, making it a known target; and (4) the attack leaves minimal technical barriers to execution. The lack of KEV status does not minimize urgency—active exploitation may not yet be widely documented, but the simplicity of the attack makes it an attractive target for opportunistic attackers and malicious insiders.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects: Attack Vector Network (N) – remotely exploitable; Attack Complexity Low (L) – no special conditions required; Privileges Required None (N) – however, the vector indicates unauthenticated; Integrity Impact Low (L) – deletion of files is an integrity violation, not confidentiality loss; Availability Impact None (N) – the attack affects specific files, not system availability broadly. Note: The vector string appears to indicate PR:N, which would imply unauthenticated access, but the description explicitly requires authentication. Verify the vector against the vendor advisory for clarification. Regardless, the practical risk is elevated for organizations with active user bases, and the ease of exploitation justifies rapid patching.
Frequently asked questions
Can external attackers exploit this vulnerability without a WordPress account?
No. The vulnerability requires valid WordPress authentication—at minimum, a subscriber-level account. External attackers would need to either compromise an existing account, create a new one if registration is open, or gain initial access through other means. However, if your site allows open subscriber registration, the barrier to entry is low.
Will patching the plugin restore deleted attachments?
No. Patching will prevent future unauthorized deletion but will not recover media that has already been deleted. Restoration depends on your backup strategy. Ensure you have regular, offline backups of your WordPress media library so you can recover deleted content if an attack occurs before the patch is applied.
Does this vulnerability affect multisite WordPress installations differently?
In a multisite environment, the scope may be broader. An attacker with subscriber-level access on one site might be able to delete attachments across the network, depending on how the plugin shares media and validates permissions across sites. Test the vulnerability's scope in your specific multisite configuration and prioritize patching accordingly.
What should I do if I suspect an attacker has already deleted files using this vulnerability?
Immediately isolate any compromised user accounts and reset their passwords. Check your access logs and audit trail to identify which attachments were deleted and by whom. Restore from your most recent clean backup. Then apply the patch, re-enable user accounts carefully, and monitor for further suspicious activity.
This analysis is provided for informational purposes and reflects the vulnerability details published as of the modification date. CVSS scores, affected versions, and patch information are sourced from official vulnerability disclosures and should be verified against the vendor's advisory before implementing remediation. SEC.co does not guarantee the accuracy or completeness of third-party security tools or patches. Organizations should conduct their own testing in staging environments before deploying patches to production. The absence of KEV status does not indicate the absence of active exploitation or threat. Always consult the WordPress plugin vendor's official security advisory for authoritative patch guidance and release notes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2026-3173MEDIUMWordPress Meta Field Block Insecure Direct Object Reference (IDOR) Vulnerability