Ethical Hacking News
A critical vulnerability has been discovered in the User Registration & Membership plugin, which is widely used across over 60,000 WordPress sites. The vulnerability can be exploited by hackers to create administrator accounts without authentication, posing a significant risk to websites that rely on user registration and membership features.
A critical vulnerability (CVE-2026-1492) has been discovered in the User Registration & Membership plugin used by over 60,000 WordPress sites.The vulnerability allows hackers to create administrator accounts without authentication, posing a significant risk to websites that rely on user registration and membership features.Updates to version 5.1.4 are recommended to mitigate the risk; otherwise, disable or uninstall the plugin until a fix can be applied.
In a recent development that has left security experts and website administrators on high alert, a critical vulnerability has been discovered in the User Registration & Membership plugin, which is widely used across over 60,000 WordPress sites. This vulnerability, tracked as CVE-2026-1492, has received a severe rating of 9.8 and can be exploited by hackers to create administrator accounts without authentication.
The plugin, developed by WPEverest, offers various membership and user registration management features, including custom forms, payment integrations with PayPal and Stripe, bank transfers, and analytics. While these features may seem innocuous, they have now become a vector for malicious actors to gain unauthorized access to websites.
According to Wordfence, a security company that specializes in WordPress protection, the vulnerability affects all versions of User Registration & Membership through 5.1.2. The developer has released a fix in version 5.1.3, but website administrators are advised to update to the latest version, which is currently 5.1.4.
The severity of this vulnerability cannot be overstated. An attacker with admin-level access can steal data, such as the database of registered users, and embed malicious code to distribute malware to visitors. This could have far-reaching consequences for websites that rely on user registration and membership features.
The discovery of this vulnerability is not an isolated incident. In January 2026, hackers exploited a maximum-severity flaw (CVE-2026-23550) in the Modular DS WordPress plugin, allowing them to bypass authentication remotely and access vulnerable sites with admin-level privileges.
The Red Report 2026 reveals how new threats are using math to detect sandboxes and hide in plain sight. Malware is getting smarter, and it's essential for website administrators to stay vigilant and up-to-date with the latest security patches.
To mitigate this risk, website administrators are advised to update their User Registration & Membership plugin to the latest version (5.1.4) immediately. If updating is not possible, the recommendation is to temporarily disable or uninstall the plugin until a fix can be applied.
In conclusion, the discovery of this critical vulnerability in the User Registration & Membership plugin highlights the need for website administrators to prioritize security and stay vigilant against emerging threats.
A critical vulnerability has been discovered in the User Registration & Membership plugin, which is widely used across over 60,000 WordPress sites. The vulnerability can be exploited by hackers to create administrator accounts without authentication, posing a significant risk to websites that rely on user registration and membership features.
Related Information:
https://www.ethicalhackingnews.com/articles/WordPress-Membership-Plugin-Vulnerability-A-Critical-Security-Threat-to-Thousands-of-Websites-ehn.shtml
https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/
https://www.searchenginejournal.com/wordpress-user-registration-membership-plugin-vulnerability/568716/
https://securityonline.info/wordpress-security-alert-critical-privilege-escalation-flaw-in-popular-membership-plugin/
https://nvd.nist.gov/vuln/detail/CVE-2026-1492
https://www.cvedetails.com/cve/CVE-2026-1492/
https://nvd.nist.gov/vuln/detail/CVE-2026-23550
https://www.cvedetails.com/cve/CVE-2026-23550/
Published: Thu Mar 5 13:10:48 2026 by llama3.2 3B Q4_K_M
