- User registration and membership plugin flaws allow attackers to gain administrator access without logging in
- Exposed nonce values enable unauthorized backend requests and privilege escalation
- Sensitive user data is revealed when the administrative rights are obtained
A critical security flaw in a widespread WordPress plugin allows unauthorized attackers to bypass authentication checks and gain full administrative access to affected websites.
The vulnerability, tracked as CVE-2026-1492, affects the User Registration and Membership plugin version 5.1.2 and earlier.
Experts at Cyfirma say that improper server-side validation and weak authorization controls within the member registration workflow create this dangerous hole.
The article continues below
How attackers exploit the vulnerability without any credentials
Attackers can abuse exposed client-side data and insufficient backend validation to manipulate parameters that directly affect authentication and privilege granting.
The vulnerability stems from trusting user-controlled input instead of enforcing strict server-side validation.
Backend endpoints process membership-related actions without proper authentication or authorization checks.
This vulnerability becomes dangerous because exposed nonce values in client-side JavaScript are accessible to unauthorized users.
Attackers can then reuse these nonce values in crafted requests to manipulate backend behavior, even for website builders.
By inspecting these values, attackers can construct malicious requests directed at the WordPress AJAX endpoint at /wp-admin/admin-ajax.php.
The backend processes these requests without confirming the origin or authorization state of the request.
This results in automatic authentication and privilege escalation, where administrative access is granted without any legitimate login process taking place.
Successful exploitation gives attackers unlimited administrative rights over the entire WordPress environment.
With this level of access, attackers can install malicious plugins and modify themes to execute arbitrary code.
They can also access sensitive user data, including credentials and configuration files.
Hidden administrator accounts can be created to ensure continued access even after initial registration.
These attackers can also redirect website visitors to phishing sites or malware distribution sites.
Site defacement, content manipulation, and malicious script injection become trivial once administrative control is established.
All versions of the User Registration & Membership plugin up to and including version 5.1.2 are vulnerable to this bug – but the issue has been fixed in version 5.1.3 through improved validation and authorization mechanisms – so site administrators should update immediately.
After updating, administrators should review existing user accounts, especially those with administrative privileges, which will help identify any unauthorized accounts created prior to patching.
Suspicious sessions should be invalidated and credentials reset if compromise is suspected.
The vulnerability has a CVSS v4.0 score of 9.8 out of 10, indicating critical severity.
Observed discussions in underground forums show active interest in exploiting this vulnerability.
Hackers are already sharing exploit techniques among themselves and discussing automation strategies.
Initial Access Brokers can exploit this flaw to gain administrative access and resell it for ransomware deployment, SEO spam campaigns, or credential harvesting operations.
Given the low complexity of exploitation and public awareness of the technique, website owners running the affected plugin should treat their systems as actively vulnerable and prioritize remediation immediately.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
