Identity, Vulnerability Management, Patch/Configuration Management

Critical vulnerability in WordPress User Registration plugin exploited

(Credit: Bilal Ulker – stock.adobe.com)

Hackers are actively exploiting a critical vulnerability in the User Registration & Membership plugin, affecting over 60,000 WordPress sites. This flaw allows unauthorized creation of administrator accounts, posing a significant risk to website security. The vulnerability is tracked as CVE-2026-1492 and has a severity rating of 9.8, as reported by Bleeping Computer.

The User Registration & Membership plugin, developed by WPEverest, enables membership and user registration features. The vulnerability, CVE-2026-1492, allows attackers to create administrator accounts without authentication by exploiting how the plugin handles user-supplied roles during registration. An administrator account grants full control over a WordPress site, enabling attackers to install malicious plugins, alter site content, steal sensitive data like user databases, and embed malware. Security researchers have already blocked more than 200 exploitation attempts within 24 hours. The vulnerability affects versions through 5.1.2, with a fix available in version 5.1.3 and later.

This incident highlights the ongoing threat to WordPress sites, which are frequent targets for various malicious activities. Website administrators are strongly advised to update the User Registration & Membership plugin to the latest version or disable it if an update is not immediately possible.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds