- Critical flaw found in WordPress plugin that allows attackers to register administrator accounts without authenticating
- More than 37,000 sites currently exposed
Tens of thousands of WordPress websites are vulnerable to full site takeover, thanks to a critical severity vulnerability that was just discovered in a popular plugin.
Security researchers at Defiant reported finding a bug in User Registration and Membership, a WordPress plugin that helps administrators create subscription plans, control user access, and accept payments. The error occurs because the plugin accepts user-provided roles during membership registration, without properly applying a server-side allowlist.
As a result, unauthenticated attackers can create administrator accounts by providing a role value at registration time.
Actively abused
The bug is described as “improper privilege management” and is now tracked as CVE-2026-1492. It has a severity score of 9.8/10 (critical) and affects all versions of the plugin up to and including 5.1.2. It was fixed in version 5.1.3 which is now available for download.
Researchers said they saw more than 200 attempts to exploit this vulnerability in just 24 hours, suggesting that cybercriminals are well aware of the flaw and are actively searching for exposed websites.
The attack surface is also quite large, as according to the official WordPress repository, User Registration & Membership is installed on over 60,000 active websites, with the vast majority (62.7%) running versions 4.4 and earlier.
That means that at least 37,000 websites are currently susceptible to the improper privilege management error.
To make matters worse, the plugin page does not differentiate between versions 5.1.2 and 5.1.3, so it is quite possible that the actual number of vulnerable websites is even higher.
With an administrator account, threat actors can wreak all kinds of havoc, from leaking sensitive data to using the website as a malware host. They can also redirect legitimate traffic to malicious websites filled with ads, trick users into sharing their login credentials, and more.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
