FHN 
A critical WordPress plugin unauthenticated admin access vulnerability has been discovered in the User Registration & Membership plugin, allowing attackers to create administrator accounts.
The vulnerability, tracked as CVE-2026-1492, affects plugin versions up to 5.1.2. Since the issue can be exploited without logging in or interacting with the site, it has been given a critical CVSS score of 9.8.
This means attackers could potentially gain full control of affected WordPress websites.
WordPress Plugin Unauthenticated Admin Access Vulnerability Explained
The problem comes from how the plugin handles user roles during the registration process.
Security researcher Friderika Baranyai (Foxyyy) from Wordfence Intelligence discovered that the plugin does not properly limit which role a new user can request when registering through a membership form.
Normally, websites should restrict roles like administrator so that regular users cannot assign them to themselves. However, the vulnerable plugin accepts the role value sent by the user without proper validation.
Because of this flaw, attackers can modify the registration request and insert administrator as their role. The site then processes the request and creates a new admin account.
Potential Impact on Websites
Once attackers obtain administrator access, they can take full control of the WordPress site.
This level of access allows them to:
- Install malicious plugins or backdoors
- Steal sensitive data from the database
- Redirect visitors to malicious websites
- Modify website content or inject malware
Security researchers have already observed active exploitation attempts. Wordfence reported blocking 74 attacks targeting this vulnerability within just 24 hours, showing that attackers are quickly scanning for vulnerable sites.
Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!
How to Protect Your WordPress Site
Website owners should take immediate steps to secure their installations.
The vulnerability has been patched in version 5.1.3 of the User Registration & Membership plugin.
To reduce the risk of compromise, administrators should:
- Update the plugin to version 5.1.3 or the latest release
- Review all administrator accounts for suspicious users
- Remove any unknown or unauthorized accounts
- Reset passwords and security credentials if compromise is suspected
Previous Security Issues
This plugin has recently faced multiple security concerns. Earlier research also revealed:
- CVE-2026-1779 – an authentication bypass vulnerability
- An authorization issue that allowed attackers to delete posts without permission
Because WordPress plugins are frequently targeted, keeping software updated and using security tools like a web application firewall (WAF) can help prevent exploitation.
About the Author
