Critical Vulnerability in WordPress Membership Plugin Allows Unauthorized Admin Account Creation
A significant security flaw, designated as CVE-2026-1492, has been identified in the User Registration & Membership plugin for WordPress. This vulnerability permits unauthenticated attackers to bypass security protocols and create administrator accounts, potentially leading to complete control over affected websites.
Understanding the Vulnerability
The User Registration & Membership plugin is widely utilized by website administrators to design custom registration forms and manage user profiles efficiently. However, versions up to and including 5.1.2 are susceptible to a critical issue related to improper privilege management. Specifically, during the user registration process, the plugin accepts user-supplied roles without enforcing a server-side allowlist. This oversight means that the system does not verify whether the requested role is permissible, enabling attackers to register as administrators by submitting a crafted request. Consequently, attackers can gain full control over the affected WordPress site without any prior authentication.
Potential Consequences
Once an attacker has administrative access, they can perform a range of malicious activities, including:
– Stealing sensitive user data
– Modifying website content
– Installing malicious backdoors
The severity of this vulnerability is underscored by its critical CVSS score of 9.8. Security systems have already detected active exploitation attempts, with numerous attacks being blocked over a short period.
Additional Security Concerns
This plugin has faced multiple security issues recently. For instance, version 5.1.2 is also vulnerable to an authentication bypass, tracked as CVE-2026-1779, which allows attackers to circumvent login mechanisms entirely.
Mitigation and Remediation Steps
Website administrators are urged to take immediate action to secure their platforms:
1. Update the Plugin: The software vendor has released a patch that restricts which roles can be assigned during registration. This fix effectively prevents users from submitting elevated roles, thereby stopping privilege escalation attacks. Administrators should update the plugin to version 5.1.3 or later without delay.
2. Audit User Accounts: Conduct a thorough review of existing user accounts to identify and remove any unauthorized administrator profiles.
3. Monitor Registration Activity: Implement traffic monitoring on registration endpoints to detect and respond to suspicious activities or abnormal role requests promptly.
Given that this flaw allows attackers to create administrator accounts without prior authentication, websites running older, vulnerable versions remain highly exposed. Applying the latest security update is the most effective measure to secure membership registration forms and protect the website from unauthorized access.
