Critical Vulnerability in WordPress User Registration & Membership Plugin Exploited

First reported

05.03.2026 20:44

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical vulnerability (CVE-2026-1492) in the WordPress User Registration & Membership plugin, installed on over 60,000 sites, allows attackers to create admin accounts without authentication. This flaw, rated 9.8 in severity, enables full site control, data theft, and malware distribution. The developer has released a patch in version 5.1.3, with the latest version being 5.1.4. Hackers have already attempted to exploit this vulnerability in over 200 attacks in the past 24 hours. Website administrators are urged to update the plugin immediately or disable it if updating is not possible.

Timeline

05.03.2026 20:44 1 articles · 1h ago

Critical Vulnerability in WordPress User Registration & Membership Plugin Exploited
A critical vulnerability (CVE-2026-1492) in the WordPress User Registration & Membership plugin, installed on over 60,000 sites, allows attackers to create admin accounts without authentication. This flaw, rated 9.8 in severity, enables full site control, data theft, and malware distribution. The developer has released a patch in version 5.1.3, with the latest version being 5.1.4. Hackers have already attempted to exploit this vulnerability in over 200 attacks in the past 24 hours. Website administrators are urged to update the plugin immediately or disable it if updating is not possible.
Show sources

WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
Open in new tab

Information Snippets

The vulnerability is tracked as CVE-2026-1492 and has a critical severity rating of 9.8.
First reported: 05.03.2026 20:44

1 source, 1 article
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
The flaw allows attackers to create administrator accounts without authentication.
First reported: 05.03.2026 20:44

1 source, 1 article
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
Administrator accounts provide full access to the website, including the ability to install plugins, edit PHP code, and modify site content.
First reported: 05.03.2026 20:44

1 source, 1 article
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
Attackers can steal data and embed malicious code to distribute malware to visitors.
First reported: 05.03.2026 20:44

1 source, 1 article
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
The vulnerability affects all versions of the plugin through 5.1.2.
First reported: 05.03.2026 20:44

1 source, 1 article
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
The developer released a fix in version 5.1.3, with the latest version being 5.1.4.
First reported: 05.03.2026 20:44

1 source, 1 article
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
Over 200 exploitation attempts were blocked by Wordfence in the past 24 hours.
First reported: 05.03.2026 20:44

1 source, 1 article
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
Website administrators are advised to update to the latest version or disable the plugin if updating is not possible.
First reported: 05.03.2026 20:44

1 source, 1 article
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44