cleantalk
Vulnerabilities and Security Researches

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin, CVE-2026-2356

CVE, Research URL

CVE-2026-2356

Home page URL

Security reports for User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Application

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Published on
Feb 26, 2026
Research Description
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set.
Affected versions
max 5.1.3.
Status
vulnerable
Previous vulnerability researches
Modular DS: Manage all your websites from a single dashboard (CVE-2026-3903) , Apr 14, 2026
Modular DS: Manage all your websites from a single dashboard (CVE-2026-23550) , Jan 27, 2026
Modular DS: Manage all your websites from a single dashboard (CVE-2026-23800) , Jan 27, 2026
New vulnerability
Nexter Extension (CVE-2026-0726) , Apr 15, 2026
CallbackKiller service widget (CVE-2026-1944) , Apr 15, 2026
Robin image optimizer — save money on image compression (CVE-2026-1319) , Apr 15, 2026
Advanced Woo Labels – Product Labels for WooCommerce (CVE-2026-1929) , Apr 15, 2026
Newsletter – Send awesome emails from WordPress (CVE-2026-1051) , Apr 15, 2026