Update first, then verify the membership workflows that matter to your store. The User Registration & Membership plugin’s 5.2.2 release corrected membership-payment and authorization problems, and the current public release is newer still. If your site uses the plugin for paid memberships, subscriptions, member roles, or gated content, treat this as a prompt to take a recoverable backup and update to the latest available release.
This is a defensive update guide for site owners and hosting teams. It does not assume that a site has been attacked. The public vulnerability records describe issues that could let a low-privilege account alter another member’s role or membership state, or could let an untrusted payment notification activate a paid membership. The plugin’s own changelog also records fixes for payment-bypass and subscription-authorization problems in the 5.2.2 line. The sensible response is a controlled update and a focused review, not an emergency guess.
What needs attention
- Plugin: User Registration & Membership by WPEverest.
- Version decision: 5.2.2 contains the relevant corrections, but install the current release rather than stopping at an older fixed version.
- Prioritize: sites that accept paid memberships, use PayPal or Stripe with a membership form, allow public registration, or grant roles based on a purchase or membership selection.
- Reported concerns: unauthorized changes to another member’s role or membership tier, and a payment-status bypass that could activate a membership without a completed payment.
Those risks affect business rules as well as WordPress accounts. A site can look healthy while its membership access, subscription state, or role assignments have drifted. That is why the verification phase is part of the update.
Use a backup-first update window
- Confirm that you have a recent database backup and a copy of the WordPress files. Record where the restore point lives and who can use it.
- Choose a low-traffic maintenance window when possible. On a busy membership site, let the support and finance teams know that registration and checkout checks are planned.
- Update User Registration & Membership to the latest version offered by the official WordPress plugin directory or your approved vendor channel.
- Clear the WordPress, host, and CDN caches so logged-out registration and checkout pages are not served from an older response.
- Keep the backup until normal member activity, renewals, and administrator checks have completed successfully.
Need a more complete recovery checklist before making the change? Start with our WordPress backup checklist, then return here for the membership-specific checks.
Verify the workflows, not just the version number
Use a staging site or a small set of test accounts where you can. Do not use a real customer’s payment details or change a real member’s access merely to test the update.
- Create a new test registration and confirm it receives only the expected default access.
- Check one free membership path and one paid membership path. Confirm that paid access is not granted until the normal payment completion process has finished.
- Review an existing member’s subscription and membership tier from an administrator account. Confirm that a regular member cannot change another person’s plan, role, or renewal state.
- If the site uses recurring payments, verify that an expected renewal still appears correctly and that no active subscription was interrupted during the plugin update.
- Confirm that restricted pages remain restricted for logged-out visitors and ordinary test members.
For a WooCommerce-backed membership site, also run a normal test checkout in the configured payment mode and review the resulting order and membership status. Keep payment credentials, notification secrets, and order details out of tickets and screenshots.
Review for unexpected access changes
After the update, compare recent membership activity with your expected sales and support work. Look for newly elevated WordPress roles, paid memberships that do not have a corresponding completed payment, unexpected changes to an existing member’s tier, or unusual bursts of registrations. A mismatch does not prove the vulnerability was used, but it is a reason to preserve the relevant administrative evidence and investigate with the site owner.
If you find a suspicious change, reset the affected account’s access to the approved state, rotate any credentials that were exposed through normal account recovery procedures, and review who has administrator-level access. Avoid publishing customer information or payment records while the issue is being investigated.
Keep the plugin and WordPress support stack current
Membership plugins sit at the intersection of registration, roles, payments, and content access. Put them on a deliberate update cadence, subscribe to the plugin’s official changelog, and test updates on a staging copy when your site has complex subscriptions or custom integrations. Our WordPress support hub has adjacent guidance for backups, security triage, performance, and maintenance planning.
Sources and update context
- User Registration & Membership on WordPress.org lists the current release and changelog entries for the affected membership and payment corrections.
- CVE-2026-11963 in NVD describes the authorization issue affecting membership changes.
- CVE-2026-11964 in NVD describes the payment-notification issue affecting membership activation.
Last reviewed July 13, 2026. This guide is intended for defensive maintenance and does not include exploit or reproduction instructions.


