CVE-2026-7651 Overview
CVE-2026-7651 is an Insecure Direct Object Reference (IDOR) vulnerability in the User Registration & Membership plugin for WordPress. The plugin provides free and paid memberships, subscriptions, content restriction, user profile management, and custom user registration and login functionality. The flaw affects all versions up to and including 5.1.5 and is caused by missing ownership validation on a user-controlled attachment ID. Authenticated attackers with subscriber-level access or above can permanently delete arbitrary media attachments uploaded by any other user, including site administrators. The issue is tracked under [CWE-639: Authorization Bypass Through User-Controlled Key].
Critical Impact
Authenticated subscribers can permanently delete arbitrary media attachments belonging to any WordPress user, including administrators, causing integrity loss across the site media library.
Affected Products
- WordPress User Registration & Membership plugin versions through 5.1.5
- WordPress sites permitting subscriber-level or higher registration with the plugin active
- Sites running the plugin's frontend profile and attachment workflows
Discovery Timeline
- 2026-05-28 - CVE-2026-7651 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-7651
Vulnerability Analysis
The vulnerability resides in the plugin's frontend attachment handling logic within class-ur-frontend.php. The plugin accepts an attachment ID supplied by the authenticated user and uses it to store and subsequently delete media attachments without confirming the requester owns the referenced object. Because the WordPress media library is shared across users, any valid attachment ID corresponds to a real post object that the plugin will operate on.
An authenticated attacker submitting a crafted profile or registration request can substitute another user's attachment ID. The plugin then deletes the referenced attachment from the site, removing it from disk and the database. The impact is limited to integrity loss on media content, with no direct path to code execution or credential disclosure.
Root Cause
The root cause is missing authorization on a user-controlled key, classified under [CWE-639]. The plugin trusts the attachment ID parameter without calling an ownership check such as comparing post_author against the current user ID, and without verifying that the attachment is associated with the requesting user's profile. The fix shipped in version 5.2.0 introduces ownership validation prior to storing or deleting the attachment, as visible in the WordPress User Registration Changeset.
Attack Vector
The attack vector is network-based and requires only subscriber-level authentication, which many WordPress sites grant through open registration. An attacker enumerates attachment IDs, which are sequential integers exposed in WordPress media URLs, and submits them through the plugin's profile or registration endpoint. The plugin processes the request as if the attachment belonged to the attacker and deletes it. Repeated requests can remove large portions of the media library, including images referenced by published pages and posts. See the Wordfence Vulnerability Analysis for additional context.
Detection Methods for CVE-2026-7651
Indicators of Compromise
- Unexpected attachment post deletions in the WordPress wp_posts table not initiated by administrators
- Missing files in wp-content/uploads/ referenced by published posts and pages
- Subscriber-level accounts submitting frontend profile update requests with attachment IDs outside their own uploads
- Spikes in wp-admin/admin-ajax.php or plugin frontend endpoint traffic from low-privilege users
Detection Strategies
- Audit WordPress activity logs for media deletions correlated with subscriber accounts rather than editors or administrators
- Compare attachment IDs referenced in plugin requests against post_author ownership in the database
- Alert on bulk deletions of attachment posts within short time windows
Monitoring Recommendations
- Enable a WordPress audit logging plugin that captures delete_attachment actions with the originating user ID
- Forward web server access logs to a centralized log platform and monitor POST requests to the User Registration plugin endpoints
- Track newly registered subscriber accounts that immediately interact with attachment workflows
How to Mitigate CVE-2026-7651
Immediate Actions Required
- Update the User Registration & Membership plugin to version 5.2.0 or later on every affected WordPress site
- Review media library integrity and restore any deleted attachments from backup
- Audit subscriber accounts created during the exposure window and remove suspicious users
Patch Information
The vendor addressed CVE-2026-7651 in version 5.2.0 of the User Registration plugin. The patch adds ownership validation before the plugin stores or deletes attachments referenced by an attachment ID parameter. The code change is documented in the WordPress User Registration Changeset and the affected handler is in class-ur-frontend.php.
Workarounds
- Disable the User Registration & Membership plugin until the update to 5.2.0 is applied
- Restrict new user registration or set the default role below subscriber where the plugin's attachment workflow is unreachable
- Apply a web application firewall rule blocking frontend plugin requests that reference attachment IDs not owned by the requester
# Update the plugin via WP-CLI to the patched release
wp plugin update user-registration --version=5.2.0
wp plugin list --name=user-registration --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
