WordPress User Registration & Membership flaw lets attackers create admin accounts without logging in

A critical vulnerability in the User Registration & Membership plugin for WordPress can let attackers create administrator accounts without authentication. The bug, tracked as CVE-2026-1492, affects all versions up to and including 5.1.2, and the fix landed in 5.1.3.

The flaw is severe because it can hand over full site control in one step. According to the CVE record, the plugin accepted a user-supplied role during membership registration without properly enforcing a server-side allowlist, which made it possible for unauthenticated users to register as administrators.

That means an attacker would not need stolen credentials or an existing account. On a vulnerable site, a crafted registration request could create a new admin user and open the door to plugin installation, malicious redirects, content changes, or backdoor deployment. The technical impact is not explicitly listed in that exact wording by Wordfence, but it follows directly from administrator-level access in WordPress.

What happened

The bug affects the plugin officially listed on WordPress.org as User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder by wpeverest. The NVD entry says the vulnerability is an improper privilege management issue and shows a CVSS 3.1 score of 9.8 Critical from Wordfence.

WordPress plugin infrastructure also points to a security fix. The NVD references a WordPress plugin changeset for user-registration, and the WordPress.org plugin page now shows version 5.1.3 in its changelog stream after the vulnerable 5.1.2 line.

At a glance

Why this bug is dangerous

This is the kind of WordPress flaw that turns a public-facing form into a full-site compromise path. If the plugin trusts the incoming role value during registration, an attacker can skip privilege boundaries that the server should enforce. The CVE description says that is exactly what happened here.

Once an attacker gets administrator access, the rest becomes standard WordPress takeover territory. They can install rogue plugins, alter themes, create hidden users, exfiltrate data, or inject spam and phishing content. Those are normal admin-level outcomes in WordPress, so site owners should treat this as urgent even if they have not seen obvious abuse yet.

One important caution about exploitation claims

The sample article says security systems blocked 74 attacks in the past 24 hours. I did not verify that figure in an official Wordfence page or another primary source I could confirm from the available results, so I would not present that number as established fact. What is confirmed is the vulnerability itself, the affected versions, the critical score, and the availability of a patch.

The sample also says the finder was “Foxyyy.” The public CVE data visible in the results attributes the finding to Friderika Baranyai. That is another detail worth correcting.

What site owners should do now

• Update the plugin to 5.1.3 or later immediately.
• Review all administrator accounts for anything unfamiliar or recently created.
• Check user registration logs and web server logs for suspicious registration activity.
• Reset passwords and rotate admin credentials if you find signs of abuse.
• Audit installed plugins and themes for anything added without approval.

Those steps matter because patching stops new abuse, but it does not remove an attacker who already created an admin account before you updated. That follow-up review is essential after any privilege-escalation bug on a public registration path. This last point is a standard security inference based on the nature of the flaw.

FAQ