Cyber: Wordpress Membership Plugin Bug Exploited To Create Admin Accounts

Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites.

Developed by WPEverest, the plugin provides membership and user registration management features, including custom forms, payment integrations with PayPal and Stripe, bank transfers, and analytics.

The security vulnerability is tracked as CVE-2026-1492 and received a critical severity rating of 9.8. Because the plugin accepts a user-supplied role during membership registration, hackers can create administrator accounts without authentication.

An administrator account has full access on the website, and it is required to install plugins and themes, edit PHP code, change security settings, modify site content, and lock out legitimate owners or admins.

An attacker with this level of access can steal data, such as the database of registered users, and embed malicious code to distribute malware to visitors.

Researchers at WordPress security company Defiant, the maker of the Wordfence security plugin, blocked more than 200 attempts to exploit CVE-2026-1492 in customer environments in the past 24 hours.

The vulnerability affects all versions of User Registration & Membership through 5.1.2. The developer released a fix in version 5.1.3 of the plugin. Website admins are advised to update to the latest version of the plugin, which is currently 5.1.4, released last week.

If updating is not possible, the recommendation is to temporarily disable or uninstall the plugin.

According to Wordfence data, CVE-2026-1492 is the most severe vulnerability in the User Registration & Membership plugin disclosed this year.

Hackers are constantly targeting WordPress sites for malicious activities that include malware distribution, phishing, hosting command-and-control servers, proxy malicious traffic, or to store stolen data.

Source: BleepingComputer