A critical vulnerability (CVE-2026-1492) in the User Registration & Membership plugin for WordPress is being actively exploited, allowing attackers to create administrator accounts without authentication. This gives hackers full control of affected sites to steal data or distribute malware. The plugin developer has released a fixed version (5.1.3 and later), and administrators are urged to update immediately or disable the plugin. The main topics covered are the security vulnerability, its exploitation, and the recommended mitigation.
Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites.
Developed by WPEverest, the plugin provides membership and user registration management features, including custom forms, payment integrations with PayPal and Stripe, bank transfers, and analytics.
The security vulnerability is tracked as CVE-2026-1492 and received a critical severity rating of 9.8. Because the plugin accepts a user-supplied role during membership registration, hackers can create administrator accounts without authentication.
An administrator account has full access on the website, and it is required to install plugins and themes, edit PHP code, change security settings, modify site content, and lock out legitimate owners or admins.
An attacker with this level of access can steal data, such as the database of registered users, and embed malicious code to distribute malware to visitors.
Researchers at WordPress security company Defiant, the maker of the Wordfence security plugin, blocked more than 200 attempts to exploit CVE-2026-1492 in customer environments in the past 24 hours.
The vulnerability affects all versions of User Registration & Membership through 5.1.2. The developer released a fix in version 5.1.3 of the plugin. Website admins are advised to update to the latest version of the plugin, which is currently 5.1.4, released last week.
If updating is not possible, the recommendation is to temporarily disable or uninstall the plugin.
According to Wordfence data, CVE-2026-1492 is the most severe vulnerability in the User Registration & Membership plugin disclosed this year.
Hackers are constantly targeting WordPress sites for malicious activities that include malware distribution, phishing, hosting command-and-control servers, proxy malicious traffic, or to store stolen data.
In January 2026, hackers began exploiting a maximum-severity flaw (CVE-2026-23550) in the Modular DS WordPress plugin, allowing them to bypass authentication remotely and access vulnerable sites with admin-level privileges.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Meridiano
