- Flaw in User Registration & Membership plugin allows attackers to gain administrator access without login
- Exposed casual values allow unauthorized backend requests and privilege escalation
- Sensitive user data is exposed after administrative privileges are gained
A critical security flaw in a widely used WordPress plugin allows unauthenticated attackers to bypass authentication controls and gain full administrative access to affected websites.
The vulnerability, identified as CVE-2026-1492, affects the User Registration & Membership plugin, versions 5.1.2 and earlier.
Cyfirma experts say that improper server-side validation and weak authorization controls in the member registration workflow create this dangerous gap.
Article continues below
How attackers exploit the vulnerability without any credentials
Attackers can exploit exposed client-side data and insufficient backend validation to manipulate settings that directly influence authentication and privilege assignment.
The vulnerability comes from trusting user-controlled input rather than enforcing strict server-side validation.
Back-end endpoints process membership-related actions without proper authentication or authorization checks.
This weakness becomes dangerous because casual values exposed in client-side JavaScript are accessible to unauthenticated users.
Attackers can then reuse these casual values in specially crafted queries to manipulate backend behavior, even for website builders.
By inspecting these values, attackers can create malicious requests targeting the WordPress AJAX endpoint at /wp-admin/admin-ajax.php.
The backend processes these requests without checking the origin of the request or the authorization status.
This results in automatic authentication and privilege escalation, where administrative access is granted without any legitimate login process taking place.
A successful exploit grants attackers unrestricted administrative privileges over the entire WordPress environment.
With this level of access, attackers can install malicious plugins and modify themes to execute arbitrary code.
They can also access sensitive user data, including credentials and configuration files.
Hidden administrator accounts can be created to ensure persistent access even after initial detection.
These attackers can also redirect website visitors to phishing pages or malware distribution sites.
Website defacement, content tampering, and malicious script injection become trivial once administrative control is established.
All versions of the User Registration & Membership plugin up to and including version 5.1.2 are vulnerable to this flaw – but the issue has been fixed in version 5.1.3 thanks to improved validation and authorization mechanisms – so website administrators should update immediately.
After updating, administrators should review existing user accounts, especially those with administrative privileges, which will help identify any unauthorized accounts created before the patch was applied.
Suspicious sessions should be invalidated and credentials reset if a compromise is suspected.
The vulnerability carries a CVSS v4.0 score of 9.8 out of 10, indicating critical severity.
Discussions observed in underground forums show active interest in exploiting this vulnerability.
Hackers are already sharing exploitation techniques with each other and discussing automation strategies.
Initial access brokers can exploit this flaw to gain administrative access and resell it for ransomware deployment, SEO spam campaigns, or credential harvesting operations.
Given the low operating complexity and public awareness of this technique, website owners running the affected plugin should consider their systems actively at risk and prioritize immediate remediation.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
