• Home
  • cyber
  • Websites using User Registration & Membership Plugin: WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts
cyber Cyber Attack

Websites using User Registration & Membership Plugin: WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts

Mar 2, 2026 2 min read
Websites using User Registration & Membership Plugin: WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts

Critical WordPress Plugin Flaw Allows Unauthenticated Admin Account Creation

A severe security vulnerability (CVE-2026-1492) has been discovered in the User Registration & Membership WordPress plugin, enabling unauthenticated attackers to bypass security controls and create administrator accounts. The flaw, rated 9.8 (critical) on the CVSS scale, stems from improper privilege management, allowing attackers to specify any user role including administrator during registration without server-side validation.

The plugin, used for custom registration forms and user profile management, is affected in versions up to and including 5.1.2. Exploitation grants attackers full control over compromised sites, enabling data theft, content manipulation, or backdoor installation. Security firm Wordfence has detected 74 active exploitation attempts in the past 24 hours.

Researcher Foxyyy identified the vulnerability, which was disclosed on March 2, 2026, with an updated advisory on March 3. The vendor released a patch (version 5.1.3) that restricts role assignment during registration, preventing privilege escalation. However, the plugin has a history of security issues, including a separate authentication bypass flaw (CVE-2026-1779) in the same version.

Administrators are advised to update immediately and audit existing accounts for unauthorized administrators. Monitoring registration endpoints for suspicious role requests is also recommended, as the flaw does not require prior authentication, leaving unpatched sites highly exposed.

Source: https://cybersecuritynews.com/wordpress-membership-plugin-vulnerability/

AYECODE LTD cybersecurity rating report: https://www.rankiteo.com/company/ayecode-ltd

"id": "AYE1772799844",
"linkid": "ayecode-ltd",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Web Development, Content Management',
                        'location': 'Global',
                        'name': 'User Registration & Membership WordPress '
                                'plugin users',
                        'type': 'Software/Plugin'}],
 'attack_vector': 'Remote',
 'customer_advisories': 'Administrators are advised to update immediately and '
                        'audit existing accounts for unauthorized '
                        'administrators.',
 'date_publicly_disclosed': '2026-03-02',
 'description': 'A severe security vulnerability (CVE-2026-1492) has been '
                'discovered in the User Registration & Membership WordPress '
                'plugin, enabling unauthenticated attackers to bypass security '
                'controls and create administrator accounts. The flaw stems '
                'from improper privilege management, allowing attackers to '
                'specify any user role including administrator during '
                'registration without server-side validation.',
 'impact': {'data_compromised': 'Potential data theft',
            'operational_impact': 'Full control over compromised sites, '
                                  'content manipulation, backdoor installation',
            'systems_affected': 'WordPress sites using User Registration & '
                                'Membership plugin (versions ≤ 5.1.2)'},
 'lessons_learned': 'Improper privilege management can lead to severe security '
                    'flaws; server-side validation is critical for role '
                    'assignment during registration.',
 'post_incident_analysis': {'corrective_actions': 'Patch released (version '
                                                  '5.1.3) to restrict role '
                                                  'assignment during '
                                                  'registration',
                            'root_causes': 'Improper privilege management, '
                                           'lack of server-side validation for '
                                           'role assignment during '
                                           'registration'},
 'recommendations': 'Update to version 5.1.3 immediately, audit existing '
                    'accounts for unauthorized administrators, monitor '
                    'registration endpoints for suspicious activity.',
 'references': [{'source': 'Wordfence'}, {'source': 'Researcher Foxyyy'}],
 'response': {'communication_strategy': 'Advisory released by vendor and '
                                        'researcher',
              'containment_measures': 'Update to patched version (5.1.3)',
              'enhanced_monitoring': 'Monitor registration endpoints for '
                                     'suspicious role requests',
              'remediation_measures': 'Restrict role assignment during '
                                      'registration, audit existing accounts '
                                      'for unauthorized administrators',
              'third_party_assistance': 'Wordfence'},
 'title': 'Critical WordPress Plugin Flaw Allows Unauthenticated Admin Account '
          'Creation',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'CVE-2026-1492'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.