Critical Vulnerability in User Registration and Membership allows creating unauthenticated administrator accounts and compromising WordPress sites

A serious failure in the User Registration & Membership plugin, developed by WPEverest and present on tens of thousands of WordPress sites, is being used by attackers to take control of web pages. The problem, identified as CVE-2026-1492 and qualified with a critical severity score of 9.8, allows a malicious actor to create accounts with administrator privileges without being authenticated, taking advantage that the plugin accepts the role of the user provided during the registration process.

That vector is especially dangerous because a WordPress administrator account is not a simple account with more editing options: it gives the ability to install and delete plugins and themes, run or modify PHP code, alter security settings, delete legitimate accounts and change content. With that control, an attacker can extract user databases, insert back doors and malicious code to distribute malware or mount control infrastructure, stolen data storage or proxy for illicit traffic.

Public data collected by researchers show active exploitation activity. The firm Defiant, creator of the Wordfence security plugin, registered and blocked more than 200 attempts to operate in customer environments over the last 24 hours. The scope increases the urgency of action: the affected plugin has a presence in more than 60,000 facilities according to its public record, making many sites potential targets if they do not park.

The plugin officials published a correction that closes the original vulnerability. The versions up to 5.1.2 are affected; the problem was initially addressed in version 5.1.3 and since then it is recommended to update to the most recent version available (at the time of notice, the 5.1.4). You can check the official information and download the update from the WordPress repository on the project page: User Registration on WordPress.org and consult the developer's documentation at WPEverest.

If you cannot apply the update immediately, the alternative recommended by the specialists is to temporarily disable or remove the plugin until you can install the corrected version. This is a simple preventive measure that prevents a vulnerable interface from being publicly available for automatic or manual operators.

In addition to applying the patch or disabling the plugin, a proactive review of the site should be done. Check the user list and remove unknown administrative accounts; inspect access and registration logs to detect unusual activity peaks or user creation records; run a scan with WordPress security solutions and, if there is the least suspicion of commitment, restart from a clean and broken backup of associated API credentials and keys. For general guidelines of strengthening and good practices, see the official WordPress hardening guide: Hardening WordPress, and the explanation of roles and capabilities to know what to review in the permits: Roles and capacities.

This incident fits into a broader trend: plugins remain a preferred vector by attackers to achieve privilege climbing or remote execution. In recent months, several critical vulnerabilities have been published and exploited in popular supplements that allowed from obtaining administrative access to the execution of remote code. In January 2026, for example, another active operation was documented that allowed administrator access to vulnerable sites through a maximum failure in the Modular DS plugin (CVE-2026-23550), which underlines the need to maintain a constant updating and monitoring cycle.

If you are a web administrator, the practical rule is simple: updates now and check the state of the site. If you manage multiple facilities, program automatic updates for critical components or apply controls that limit the exposure of public registration pages. For teams that provide web services to third parties, inform customers promptly and share clear risk mitigation instructions.

The good news is that, as long as the parcheed version is installed, vulnerability is solved. The bad news is that the attackers do not expect: they quickly exploit known holes, especially when they allow to create administrators without authentication. Keeping plugins up to date, combining this with regular backup and a backup solution that detects abnormal behavior are simple measures that significantly reduce the risk of being compromised.