CVE-2026-2356 is an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-284 (Improper Access Control) found in the 'User Registration & Membership' WordPress plugin developed by wpeverest. This plugin provides custom registration forms, login forms, user profiles, and membership management features. The vulnerability exists in the 'register_member' function, where the 'member_id' parameter is user-controlled and lacks proper validation or authorization checks. Specifically, attackers can manipulate the 'member_id' to delete arbitrary user accounts that have the 'urm_user_just_created' user meta set, which typically marks newly registered users. Since the flaw does not require authentication or user interaction, it can be exploited remotely by unauthenticated attackers. The impact is limited to the integrity of user accounts, allowing unauthorized deletion but not affecting confidentiality or availability directly. The CVSS v3.1 base score is 5.3 (medium), reflecting the ease of exploitation (network vector, low complexity, no privileges, no user interaction) but limited impact scope (integrity only). No patches or fixes have been officially released at the time of publication, and no known exploits have been reported in the wild. This vulnerability highlights the importance of proper access control and validation in user management functions within WordPress plugins, especially those handling membership and registration workflows.

The primary impact of CVE-2026-2356 is the unauthorized deletion of newly created user accounts on affected WordPress sites. This compromises the integrity of user data and can disrupt membership or subscription services by removing legitimate users without their consent. For organizations relying on this plugin for managing memberships, subscriptions, or content restriction, this could lead to loss of user trust, administrative overhead to restore accounts, and potential service disruption for affected users. While the vulnerability does not directly expose sensitive data or cause denial of service, the ability to delete accounts without authentication could be leveraged in targeted attacks to disrupt community platforms, membership sites, or subscription-based services. The lack of authentication requirement and ease of exploitation increase the risk of automated attacks or mass account deletions. Organizations with high volumes of new user registrations are particularly vulnerable, as attackers can repeatedly exploit the flaw to delete multiple accounts. Although no known exploits are currently reported, the public disclosure increases the likelihood of future exploitation attempts.

To mitigate CVE-2026-2356, organizations should immediately audit their WordPress sites for the presence of the vulnerable 'User Registration & Membership' plugin by wpeverest. Until an official patch is released, consider the following specific actions: 1) Temporarily disable or deactivate the plugin to prevent exploitation if membership functionality is not critical. 2) Restrict access to the 'register_member' function or related endpoints via web application firewall (WAF) rules, blocking unauthenticated requests attempting to manipulate 'member_id' parameters. 3) Implement custom code or hooks to validate and authorize any user deletion requests, ensuring only authorized administrators can delete accounts. 4) Monitor logs for suspicious activity targeting user registration or deletion functions, focusing on requests with unusual 'member_id' values or originating from unknown IP addresses. 5) Educate site administrators about the vulnerability and encourage prompt updates once a patch is available. 6) Consider additional hardening measures such as rate limiting registration-related endpoints to reduce the risk of mass exploitation. 7) Backup user data regularly to enable recovery of deleted accounts if exploitation occurs. These targeted mitigations go beyond generic advice by focusing on controlling access to the vulnerable function and monitoring for exploitation attempts.