Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that allows attackers to create admin accounts without authentication. The flaw carries the identifier CVE 2026 1492 and received a severity rating of 9.8. The vulnerability exists because the plugin accepts a user supplied role during membership registration.
The affected software, User Registration and Membership, is installed on more than 60,000 WordPress sites. The plugin provides tools for user registration, membership management, custom forms, payment integrations, and analytics features for website operators.
The vulnerability stems from a privilege management flaw in the plugin’s registration form system. During registration, the plugin fails to validate the role assigned to a new user. Instead, it accepts the role value provided in the registration request.
Attackers exploit the flaw by intercepting the registration request and inserting an administrator role into the data payload. Because the server does not verify the role against an approved list, the attacker immediately receives full administrator privileges.
Administrator access allows complete control over a WordPress site. Attackers can install malicious plugins, modify website code, change security settings, alter site content, and lock out legitimate administrators. With this level of access, attackers can also extract databases containing registered user information and distribute malware to visitors.
Security researchers have already observed active exploitation attempts. More than 200 attacks targeting the vulnerability were blocked within a 24 hour period in monitored environments. A large portion of installations remain vulnerable, with many sites running outdated plugin versions.
The vulnerability affects all versions of User Registration and Membership up to version 5.1.2. The developer released a patch in version 5.1.3, with version 5.1.4 currently available.
Website administrators should update the plugin immediately. Administrators should also review user accounts for unknown administrator profiles, remove any suspicious accounts, and rotate passwords to prevent continued access from compromised sessions.
