- User Registration and Membership Plugin Flaw Allows Attackers to Gain Admin Access Without Login
- Exposed nonce values allow unauthorized backend requests and privilege escalation
- Sensitive user data is exposed once administrative privileges are gained
A critical security flaw in a widely used WordPress plugin allows unauthenticated attackers to bypass authentication controls and gain full administrative access to affected websites.
The vulnerability, identified as CVE-2026-1492, affects the User and Membership Registration plugin, versions 5.1.2 and earlier.
Cyfirma experts say that inadequate server-side validation and weak authorization controls within the membership registration workflow create this dangerous gap.
Article continues below.
How attackers exploit vulnerability without credentials
Attackers can abuse exposed client-side data and insufficient backend validation to manipulate parameters that directly influence authentication and privilege assignment.
The vulnerability arises from relying on user-controlled input instead of enforcing strict server-side validation.
Backend endpoints process membership-related actions without proper authorization or authentication checks.
This weakness becomes dangerous because nonce values exposed within client-side JavaScript are accessible to unauthenticated users.
Attackers can then reuse these nonce values in requests designed to manipulate backend behavior, including for website creators.
By inspecting these values, attackers can create malicious requests directed to the WordPress AJAX endpoint at /wp-admin/admin-ajax.php.
The backend processes these requests without checking the origin of the request or the authorization status.
This results in automatic authentication and privilege escalation, where administrative access is granted without any legitimate login process taking place.
Successful exploitation grants attackers unlimited administrative privileges across the WordPress environment.
With this level of access, attackers can install malicious plugins and modify themes to execute arbitrary code.
They can also access sensitive user data, including credentials and configuration files.
Hidden administrator accounts can be created to ensure persistent access even after initial detection.
These attackers can also redirect website visitors to phishing pages or malware distribution sites.
Website defacement, content manipulation, and malicious script injection become trivial once administrative control is established.
All versions of the User Registration and Membership plugin up to and including version 5.1.2 are vulnerable to this flaw, but the issue was fixed in version 5.1.3 through improved validation and authorization mechanisms, so website administrators should update it immediately.
After the update, administrators should review existing user accounts, especially those with administrative privileges, which will help identify any unauthorized accounts created before applying the patch.
Suspicious sessions should be invalidated and credentials reset if they are suspected of being compromised.
The vulnerability has a CVSS v4.0 score of 9.8 out of 10, indicating critical severity.
Discussions observed in clandestine forums show an active interest in exploiting this vulnerability.
Hackers are already sharing exploitation techniques with each other and discussing automation strategies.
Initial access agents can exploit this flaw to gain administrative access and resell it for ransomware deployment, SEO spam campaigns, or credential harvesting operations.
Given the low complexity of the exploit and public awareness of the technique, website owners running the affected plugin should treat their systems as if they were at active risk and prioritize immediate remediation.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
