The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change another user's WordPress role and membership tier.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The User Registration & Membership WordPress plugin before version 5.2.2 contains a critical authorization bypass vulnerability that allows any authenticated user—including low-privileged subscribers—to escalate the roles and membership tiers of other users. The flaw stems from two compounding issues: the membership-upgrade action lacks proper authorization checks, and the plugin derives the target user from caller-supplied input rather than validating against the current authenticated user's identity. This means an attacker with basic subscriber access can modify administrators, editors, or other users' roles, potentially gaining administrative control over WordPress installations. Organizations using this plugin are at immediate risk of privilege escalation attacks that could lead to complete site compromise.
While this CVE does not currently map to MITRE ATT&CK techniques or have matching Casky skills, the underlying attack pattern aligns with privilege escalation and lateral movement tactics. Practitioners using Casky would typically identify similar vulnerabilities through skills that detect: insufficient access control validation on sensitive actions, parameter tampering on user-modification endpoints, and authentication/authorization bypass patterns. During incident investigation, security teams would look for POST requests to membership upgrade endpoints that reference user IDs other than the requester, unusual role change events in WordPress audit logs, and sudden administrator account creations by low-privileged users. Organizations should prioritize patching to version 5.2.2 or later, audit recent user role modifications, and implement stricter authorization controls at both the application and WAF levels to prevent unauthorized privilege escalation attempts.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11963. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation