- Critical bug found in WordPress plugin that allows attackers to register admin accounts without authorization
- Over 37,000 websites are currently exposed
Tens of thousands of WordPress websites are vulnerable to a site-wide takeover, thanks to a critical vulnerability just discovered in a popular plugin.
Security researchers at Defiant reported finding a flaw in User Registration & Membership, a WordPress plugin that helps administrators create subscription plans, control user access, and accept payments. The error is caused by the plugin accepting user-supplied roles during membership registration without properly enforcing a server-side permission list.
As a result, unauthorized attackers can create administrator accounts by specifying a role value at registration.
Actively abused
The bug is described as “improper privilege management” and is now tracked as CVE-2026-1492. It has a severity rating of 9.8/10 (Critical) and affects all versions of the plugin up to and including 5.1.2. It was fixed in version 5.1.3, which is now available for download.
The researchers said they saw more than 200 attempts to exploit this vulnerability in just 24 hours, suggesting that cybercriminals are well aware of the flaw and are actively looking for vulnerable websites.
The attack surface is also quite large, as according to the official WordPress repository, user registration and membership are installed on more than 60,000 active sites, and the vast majority (62.7%) are running version 4.4 and older.
This means that at least 37,000 websites are currently susceptible to the improper rights management flaw.
To make matters worse, the plugin page doesn’t distinguish between version 5.1.2 and 5.1.3, so it’s quite possible that the actual number of vulnerable sites is even higher.
With an administrator account, threat actors can wreak all sorts of havoc, from exfiltrating sensitive data to using the site to host malware. They can also redirect legitimate traffic to malicious websites filled with ads, can trick users into sharing login information, and more.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
