The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set.
The User Registration & Membership plugin for WordPress contains an Insecure Direct Object Reference vulnerability allowing unauthenticated attackers to delete arbitrary newly registered user accounts. The vulnerability exists in the 'register_member' function due to missing validation on the 'member_id' parameter.
تحتوي إضافة User Registration & Membership على ثغرة IDOR في دالة 'register_member' حيث يفتقد التحقق من صحة معامل 'member_id' الذي يتحكم به المستخدم. يمكن للمهاجمين غير المصرحين حذف حسابات المستخدمين الجدد التي تحتوي على بيانات وصفية 'urm_user_just_created'.
A vulnerability in the User Registration & Membership WordPress plugin allows unauthorized deletion of newly registered user accounts through missing input validation. Attackers can exploit this flaw without authentication to remove user accounts marked with the 'urm_just_created' metadata.
Update the User Registration & Membership plugin to version 5.1.3 or later immediately. Implement input validation and authorization checks on the 'member_id' parameter in the 'register_member' function. Consider disabling the plugin if immediate patching is not possible.
قم بتحديث إضافة User Registration & Membership إلى الإصدار 5.1.3 أو أحدث فوراً. طبق التحقق من صحة المدخلات والتحقق من الصلاحيات على معامل 'member_id'. فكر في تعطيل الإضافة إذا لم يكن التحديث الفوري ممكناً.