Critical WordPress plugin flaw lets attackers create admin accounts on vulnerable sites

A critical flaw in the User Registration & Membership plugin for WordPress can let unauthenticated attackers gain administrator-level access on affected sites. The bug, tracked as CVE-2026-1492, affects plugin versions through 5.1.2 and was fixed in version 5.1.3.

This matters because the plugin handles user registration and membership workflows, which often sit directly on public-facing pages. If a site still runs a vulnerable version, an attacker may abuse the registration flow to assign elevated privileges and take over the site.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The practical risk is simple. Once an attacker gets administrator access in WordPress, they can install malicious plugins, create hidden accounts, modify site content, steal data, or plant backdoors for later use.

What the vulnerability actually does

The flaw affects the User Registration & Membership plugin developed by WPEverest. Public advisories describe it as an improper privilege management issue in versions up to and including 5.1.2.

According to GitHub’s advisory and Wordfence’s write-up, the plugin accepted a user-supplied role during membership registration without enforcing a proper server-side allowlist. In plain terms, the backend did not sufficiently restrict what role a new registrant could end up with.

That makes this less about stealing an existing admin’s password and more about abusing a flawed registration path. An attacker does not need an existing account to start the attack, which is why defenders should treat internet-exposed membership pages as high-risk until patched.

Affected versions and fix

Why site owners should act fast

The official and industry advisories agree on the core risk: this bug can hand over powerful privileges to an attacker on unpatched sites. For WordPress administrators, that means a vulnerable site can turn into a launch point for malware, spam redirects, phishing pages, credential theft, or deeper compromise.

The plugin appears in the public WordPress plugin directory, and security write-ups describe it as widely deployed. That does not automatically mean mass exploitation is underway everywhere, but it does mean exposed sites make attractive targets because the attack path does not require a valid login first.

The safest assumption is that attackers will scan for sites that still run the vulnerable build. In WordPress cases like this, the gap between public disclosure and opportunistic probing often stays short.

What admins should do now

• Update the plugin to version 5.1.3 or later immediately
• Review all administrator accounts for anything unfamiliar
• Remove rogue accounts and rotate passwords for privileged users
• Check installed plugins and themes for unexpected additions or file changes
• Inspect logs for suspicious registration or AJAX activity
• Disable public registration temporarily if you cannot patch right away

Signs a site may already be compromised

A patched plugin stops new abuse, but it does not undo a prior takeover. Site owners should look for signs that an attacker already used the flaw before the update.

Common warning signs include unknown admin users, changed site content, unfamiliar plugins, odd redirects, or sudden spikes in outbound spam and malicious traffic. Any of those may suggest the site needs a full incident response review, not just a version bump.

If you find evidence of compromise, treat the server as untrusted until you complete a cleanup. That usually means removing persistence mechanisms, resetting secrets, and restoring from a known-clean backup where necessary.

FAQ