1. WPScan Online
  2. Latest Updates and Insights on WordPress Security
  3. WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts

WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts

06 March 2026
WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts

A critical security flaw, identified as CVE-2026-1492, has been found in the User Registration & Membership plugin for WordPress.

This vulnerability allows unauthenticated attackers to bypass security controls and create administrator accounts, leading to a complete website takeover.

The User Registration & Membership plugin helps website owners create custom registration forms and manage user profiles.

However, versions up to and including 5.1.2 suffer from a severe improper privilege management issue. When a new user registers, the plugin accepts a user-supplied role without enforcing a server-side allowlist.

Because the system does not verify if the requested role is permitted, attackers can send a request to register as an administrator.

This flaw gives the attacker full control over the affected WordPress site without needing any prior authentication.

Once inside, attackers can steal sensitive user data, change website content, or install malicious backdoors. Security researcher Foxyyy discovered the vulnerability and carries a critical severity CVSS score of 9.8.

Security systems are already detecting active exploitation attempts in the wild, blocking 74 attacks over the past 24 hours. Furthermore, this plugin has experienced a string of other recent security issues.

For example, version 5.1.2 is also vulnerable to an Authentication Bypass tracked as CVE-2026-1779, which allows attackers to bypass login mechanisms entirely.​

Mitigation and Remediation

Website administrators must take immediate action to protect their platforms. The software vendor has released a patch that restricts which roles can be assigned during registration.

This fix effectively blocks users from submitting elevated roles and stops the privilege escalation attack.​

According to Wordfence, the vulnerability was disclosed on March 2, 2026, updated on March 3, and users should immediately update the plugin to version 5.1.3 or later.

Additionally, administrators should conduct an access review to audit existing user accounts for any unauthorized administrator profiles.

Implementing traffic monitoring on registration endpoints to watch for suspicious activity or abnormal role requests is also highly recommended.

Because this flaw does not require an attacker to log in first, websites running older, vulnerable versions remain highly exposed to the creation of administrator accounts.

Applying the latest security update is the best way to secure the membership registration forms and protect the website from unauthorized access.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts appeared first on Cyber Security News.



>>More