Full Report
Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites. [...]
Analysis Summary
# Vulnerability: Unauthenticated Privilege Escalation via Membership Registration
## CVE Details
- **CVE ID:** CVE-2026-1492
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-269 (Improper Privilege Management) / CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** User Registration & Membership plugin (WordPress) by WPEverest.
- **Versions:** All versions up to and including **5.1.2**.
- **Configurations:** Sites where the membership registration feature is enabled and the plugin is active.
## Vulnerability Description
The flaw exists due to the plugin's failure to properly validate or restrict user-supplied roles during the registration process. The application accepts a `role` parameter provided by the user during a membership sign-up and assigns that role without verifying if the requester has the authority to claim it. This allows an unauthenticated attacker to submit a registration request with the role set to 'administrator', granting them full control over the WordPress site.
## Exploitation
- **Status:** **Exploited in the wild.** Active exploitation attempts were observed by security researchers (Wordfence identified 200+ attempts in 24 hours).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to site databases, user information, and configuration).
- **Integrity:** High (Ability to modify PHP code, themes, plugins, and site content).
- **Availability:** High (Ability to lock out legitimate administrators or delete the site).
## Remediation
### Patches
- **Update to Version 5.1.3 or higher.** (Note: Version 5.1.4 is the current recommended stable version).
### Workarounds
- If patching is not immediately possible, **deactivate or uninstall** the "User Registration & Membership" plugin until it can be updated.
- Disable user registration globally in WordPress settings if it is not a core business requirement.
## Detection
- **Indicators of Compromise:**
- Presence of unknown or suspicious accounts with 'Administrator' privileges in the WordPress dashboard.
- Audit logs showing registration requests containing parameters like `user_role=administrator` or similar.
- Unexpected changes to plugin or theme files (e.g., webshells or malicious scripts).
- **Detection methods and tools:**
- Use security plugins such as Wordfence or Sucuri to scan for unauthorized admin accounts.
- Review WordPress access logs for POST requests to the user registration endpoints.
## References
- **Vendor Advisory:** hXXps[://]wpeverest[.]com/
- **Security Research:** hXXp[://]www[.]wordfence[.]com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-512-unauthenticated-privilege-escalation-via-membership-registration
- **Vulnerability Feed:** hXXps[://]www[.]bleepingcomputer[.]com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/