WPEverest security patch release for CVE-2026-1492
Security Patch Release
Summary
Hide ▲
Show ▼
WPEverest released fixes for CVE-2026-1492 in the User Registration & Membership plugin, a critical update for sites running vulnerable versions. The patch matters because the flaw allows unauthenticated administrator-account creation on 60,000+ WordPress sites.
Related Happenings
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch Release
First: 27.05.2026 13:06
Last: 27.05.2026 13:06
Sources 1
About this happening:
LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch ReleaseAbout this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
CPanel security patch release for CVE-2026-41940
Security Patch Release
First: 29.04.2026 12:37
Last: 29.04.2026 12:37
Sources 1
About this happening:
**cPanel** released **security updates** for **cPanel and WHM** after an **authentication bypass** flaw could let remote attackers reach control-panel access, with fixes now cover...
CPanel security patch release for CVE-2026-41940
Security Patch ReleaseAbout this happening: **cPanel** released **security updates** for **cPanel and WHM** after an **authentication bypass** flaw could let remote attackers reach control-panel access, with fixes now cover...
Latest development: 04.05.2026 22:14
CVE-2026-41940 in cPanel, WebHost Manager (WHM), and WP Squared was rapidly exploited after public disclosure, with Censys reporting attacks from multiple threat actors within 24 hours and about 15,000 potentially compromised instances in the first day. KnownHost said about 30 managed cPanel servers showed attempted exploitation, WatchTowr Labs published a PoC exploit and technical analysis, and Defused said much of the observed activity copied WatchTowr's PoC exactly.
WordPress.org closes compromised EssentialPlugin plugins with forced update
Security Tool/Service
First: 15.04.2026 23:33
Last: 15.04.2026 23:33
Sources 1
About this happening:
**WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...
WordPress.org closes compromised EssentialPlugin plugins with forced update
Security Tool/ServiceAbout this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...
Nginx-ui 2.3.4 patch for CVE-2026-33032
Security Patch Release
First: 15.04.2026 16:00
Last: 15.04.2026 16:00
Sources 1
About this happening:
**nginx-ui maintainers** shipped **version 2.3.4** to fix **CVE-2026-33032**, closing a critical security gap for **MCP-enabled** deployments. The patch matters because the flaw c...
Nginx-ui 2.3.4 patch for CVE-2026-33032
Security Patch ReleaseAbout this happening: **nginx-ui maintainers** shipped **version 2.3.4** to fix **CVE-2026-33032**, closing a critical security gap for **MCP-enabled** deployments. The patch matters because the flaw c...
Latest development: 15.04.2026 17:45
After Pluto Security disclosed the issue in **March 2026**, the maintainers shipped **version 2.3.4** to address **CVE-2026-33032**. The patch closed the vulnerability in the product's **AI (MCP) integration** before broader exploitation details were reported.
Timeline
-
05.03.2026 20:44 2 articles · 2mo ago
WPEverest patches CVE-2026-1492 in User Registration & Membership
Mitigation Patch UpdateWPEverest’s User Registration & Membership plugin for WordPress is affected by CVE-2026-1492, a critical 9.8 vulnerability that lets an unauthenticated attacker create administrator accounts through user-supplied role handling during membership registration. The plugin is installed on more than 60,000 WordPress sites, Defiant says it blocked more than 200 exploit attempts in customer environments in the past 24 hours, and website admins are advised to update from affected versions through 5.1.2 to the fixed 5.1.3 release or the current 5.1.4 release, or temporarily disable or uninstall the plugin if patching is not possible.
Show sources
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44
- WordPress membership plugin bug exploited to create admin accounts — www.bleepingcomputer.com — 05.03.2026 20:44