Hackers are actively exploiting a critical vulnerability in the User Registration and Membership plugin used by more than 60,000 WordPress websites.
The flaw allows attackers to create administrator accounts without authentication, giving them full control over affected sites.
The plugin, developed by WPEverest, is widely used to manage membership systems and user registrations. It offers features such as custom registration forms, payment integrations with PayPal and Stripe, bank transfer support, and built-in analytics.
The vulnerability is tracked as CVE 2026 1492 and has received a critical severity rating of 9.8. The issue exists because the plugin accepts a user-supplied role during the registration process. This flaw allows attackers to register new accounts and assign themselves administrator privileges.
An administrator account provides complete control over a WordPress site. With this level of access, attackers can install plugins and themes, modify PHP code, change security settings, alter site content, and even lock legitimate administrators out of their own websites.
Hackers who gain administrative access can also steal sensitive data stored on the site, including databases containing registered user information. They may also inject malicious code that distributes malware to visitors or use the site to host phishing campaigns and other malicious operations.
Researchers at Defiant, the security company behind the Wordfence plugin, reported blocking more than 200 exploitation attempts targeting the vulnerability in customer environments within 24 hours.
The flaw affects all versions of the User Registration and Membership plugin up to version 5.1.2. The developer has released a fix in version 5.1.3, and website administrators are strongly advised to update to the latest version of the plugin, currently version 5.1.4, which was released last week.
If website owners cannot immediately update the plugin, security experts recommend temporarily disabling or removing it until an update can be applied.
According to Wordfence data, CVE 2026 1492 is the most severe vulnerability discovered in the User Registration and Membership plugin so far this year.
WordPress websites are frequent targets for cybercriminals. Attackers often exploit vulnerabilities to distribute malware, run phishing campaigns, operate command and control servers, route malicious traffic, or store stolen data.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Earlier this year, hackers also exploited another critical vulnerability, CVE 2026 23550, in the Modular DS WordPress plugin. That flaw allowed attackers to bypass authentication remotely and gain administrator-level access to vulnerable websites.
