- Critical flaw found in WordPress plugin allowing attackers to register unauthenticated administrator accounts
- More than 37,000 sites currently exposed
Tens of thousands of WordPress websites are vulnerable to a complete site takeover, thanks to a recently discovered critical severity vulnerability in a popular plugin.
Defiant security researchers reported discovering a bug in User Registration & Membership, a WordPress plugin that helps administrators create subscription plans, control user access, and accept payments. The bug is caused by the plugin accepting user-provided roles when registering members, without properly applying a server-side allowlist.
As a result, unauthenticated attackers can create administrator accounts by providing a role value during registration.
Actively abused
The bug is described as “mishandling of privileges” and is now tracked as CVE-2026-1492. It has a severity score of 9.8/10 (critical) and affects all versions of the plugin up to and including 5.1.2. This issue has been fixed in version 5.1.3 which is now available for download.
Researchers said they saw more than 200 attempts to exploit the vulnerability in just 24 hours, suggesting that cybercriminals are well aware of the flaw and are actively looking for exposed websites.
The attack surface is also quite large, as according to the official WordPress repository, user registration and membership are installed on over 60,000 active websites, and the vast majority (62.7%) are running versions 4.4 or earlier.
This means that at least 37,000 websites are currently susceptible to the improper privilege management bug.
To make matters worse, the plugin page does not differentiate between versions 5.1.2 and 5.1.3, so it is quite possible that the actual number of vulnerable websites is even higher.
With an administrator account, bad actors can do all kinds of damage, from exfiltrating sensitive data to using the website as a malware host. They can also redirect legitimate traffic to malicious, ad-filled websites, trick users into sharing their login credentials, and much more.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
