cbcvebase.
CVE-2026-1492
published 2026-03-03

CVE-2026-1492: The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
25.53%
97.7th percentile
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=user_registration_membership_register_member&security=invalid&members_data=%7B%22membership%22%3A%221%22%2C%22payment_method%22%3A%22free%22%2C%22username%22%3A%22{{username}}%22%2C%22role%22%3A%22administrator%22%7D
commandaction=user_registration_user_form_submit
path/registration/
yara
rule CVE_2026_1492_user_registration_priv_esc { strings: $action1 = "action=user_registration_membership_register_member" $role = "role\":\"administrator" condition: $action1 and $role }
  • Monitor POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'user_registration_membership_register_member' and a 'role' value of 'administrator' in the members_data payload — this is the core exploit request.
  • The exploit is a multi-step flow: (1) GET /registration/ to harvest form_id, form_save_nonce, and ur_frontend_form_nonce; (2) POST to admin-ajax.php with action=user_registration_user_form_submit to create the user; (3) POST to admin-ajax.php with action=user_registration_membership_register_member to elevate the role to administrator.
  • A successful exploitation response contains the JSON string '"success":true' in the body of the admin-ajax.php membership registration call.
  • Requests include the header 'X-Requested-With: XMLHttpRequest' — filter for unauthenticated (no session cookie) requests to admin-ajax.php with this header and the malicious action values.
  • Wordfence blocked more than 200 exploitation attempts in 24 hours, confirming active in-the-wild exploitation. Prioritize detection on sites running User Registration & Membership <= 5.1.2.
  • Look for newly created WordPress administrator accounts originating from the registration flow (wp_users table entries with wp_capabilities containing 'administrator') that were not created by an existing admin — a post-exploitation artifact.
  • The nonce field extracted from the registration page is named 'ur_frontend_form_nonce' and 'user_registration_form_data_save' — presence of these in POST bodies to admin-ajax.php from unauthenticated sessions is a strong signal.
  • ·The vulnerability affects all versions of the User Registration & Membership plugin up to and including 5.1.2. Version 5.1.3 introduced the fix; the current patched release is 5.1.4.
  • ·The exploit requires the membership registration feature to be active and a registration page to be publicly accessible (e.g., /registration/). Sites where this page is disabled or restricted may not be exploitable via this exact flow.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.