A critical security vulnerability in the User Registration & Membership plugin threatens over 60,000 WordPress websites, enabling hackers to create hidden admin accounts without authentication. Tracked as CVE-2026-1492, the flaw affects versions up to 5.1.2 and stems from inadequate server-side validation and weak authorization in the membership workflow.
How Attackers Exploit the Flaw
Unauthenticated attackers exploit exposed nonce values in client-side JavaScript to craft malicious requests to the WordPress AJAX endpoint at /wp-admin/admin-ajax.php. These backend endpoints process membership actions without verifying origins or user authorization, leading to automatic privilege escalation and full admin access.
Experts at Cyfirma highlight that trusting user-controlled inputs without strict checks allows manipulation of authentication parameters. Successful attacks grant unrestricted control, permitting installation of malicious plugins, theme modifications for code execution, and access to sensitive user data like credentials and configs.
Potential Impacts of Exploitation
With admin privileges, hackers can establish persistent access via hidden accounts, deface sites, inject malicious scripts, or redirect visitors to phishing and malware pages. Discussions in underground forums reveal active sharing of exploit techniques and automation plans, with initial access brokers eyeing it for ransomware, SEO spam, and credential theft.
Remediation Steps
Version 5.1.3 patches the issue with enhanced validation and authorization. Site owners must update immediately, audit user accounts for unauthorized admins, invalidate suspicious sessions, and reset credentials if compromise is suspected. The flaw scores 9.8/10 on the CVSS v4.0 scale, marking it as critically severe with low exploitation complexity.
