WordPress Membership Plugin Flaw Allows Attackers to Create Admin Accounts
A critical security vulnerability discovered in the widely used User Registration & Membership plugin for WordPress allows unauthenticated attackers to create administrator-level accounts, potentially handing full control of affected websites to malicious actors.
The flaw, tracked as CVE-2026-1492, carries a CVSS score of 9.8 (Critical) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A: H, and impacts all plugin versions up to and including 5.1.2. Classified under CWE as Improper Privilege Management,
The vulnerability was publicly disclosed on March 2, 2026, and credited to security researcher Foxyyy via the Wordfence threat intelligence platform.
The plugin, developed by WPEverest, is a popular solution for building custom registration and login forms, managing memberships, restricting content, and handling user profiles. It is actively used across thousands of WordPress sites, making the scope of this vulnerability particularly concerning.
The vulnerability stems from improper privilege management during the membership registration process. Specifically, the plugin accepts a user-supplied role parameter during registration without enforcing a server-side allowlist to validate or restrict which roles can be assigned.
This means any unauthenticated visitor without needing an existing account or credentials can supply a administrator role value during the registration request. The plugin processes this input without challenge, effectively minting a fully privileged admin account on demand.
According to Wordfence, once an attacker gains administrator access, they can install or modify plugins and themes, inject malicious code, steal sensitive user data, or deploy malware targeting site visitors. Wordfence has already blocked 71 attacks targeting this vulnerability within a single 24-hour window, confirming active exploitation in the wild.
Key steps to take:
- Update the plugin to version 5.1.3 or any newer patched release via the WordPress dashboard
- Audit existing user accounts for any newly created or suspicious administrator accounts
- Review recent registration logs for unusual role assignments or unfamiliar email addresses
- Enable a web application firewall (WAF) such as Wordfence to detect and block exploitation attempts in real time
- Apply the principle of least privilege by turning off open registration if it is not required for your site
Given the trivial nature of exploitation requiring no authentication, no special tools, and no prior knowledge of the target site, CVE-2026-1492 represents a high-priority patching obligation. Sites that delay updates remain easy targets for automated scanners actively probing WordPress installations for this exact weakness.
Site: cybersecuritypath.com
About the Author
