A newly disclosed vulnerability in a widely used WordPress membership plugin is being actively exploited, allowing attackers to create administrator accounts and potentially take full control of affected websites.
The flaw impacts the User Registration & Membership plugin developed by WPEverest, a popular WordPress extension used to manage registration forms, memberships, and payment integrations such as PayPal and Stripe. The plugin is installed on more than 60,000 sites.
Tracked as CVE-2026-1492, the issue has received a critical severity rating of 9.8. The vulnerability stems from the plugin accepting a user-supplied role during the registration process. Because of insufficient validation, attackers can manipulate the role field to register new users with administrator privileges without authentication.
Once an attacker gains administrator access, they can perform virtually any action on the site. This includes installing plugins or themes, modifying PHP code, altering security settings, changing content, or even locking out legitimate site owners. In more serious scenarios, attackers may also access databases containing registered user information or inject malicious scripts to distribute malware to visitors.
Security researchers at Defiant, the company behind the Wordfence WordPress security plugin, say they blocked more than 200 exploitation attempts within a 24-hour period in environments protected by their platform. The activity suggests that threat actors are already scanning for and targeting vulnerable installations.
All versions of the plugin up to 5.1.2 are affected. Developers released a fix in version 5.1.3, with the current version now 5.1.4. Website administrators are strongly advised to update immediately. If updating is not possible, temporarily disabling or uninstalling the plugin is recommended.
WordPress sites remain a frequent target for attackers because of their widespread use and large plugin ecosystem. Compromised websites are often repurposed for activities such as phishing campaigns, malware hosting, command-and-control infrastructure, or storing stolen data.
The incident follows another major WordPress security issue earlier this year involving the Modular DS plugin, where attackers exploited a critical flaw that allowed remote authentication bypass and administrator-level access.
As with most plugin vulnerabilities, rapid patching and regular security monitoring remain essential for preventing compromise.
Leave a Reply