CVE-2026-1492
published 2026-03-03CVE-2026-1492: The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
25.53%
97.7th percentile
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
Detection & IOCsextracted from sources · hover to see the quote
commandaction=user_registration_membership_register_member&security=invalid&members_data=%7B%22membership%22%3A%221%22%2C%22payment_method%22%3A%22free%22%2C%22username%22%3A%22{{username}}%22%2C%22role%22%3A%22administrator%22%7D↗
yara↗
rule CVE_2026_1492_user_registration_priv_esc { strings: $action1 = "action=user_registration_membership_register_member" $role = "role\":\"administrator" condition: $action1 and $role }- →Monitor POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'user_registration_membership_register_member' and a 'role' value of 'administrator' in the members_data payload — this is the core exploit request. ↗
- →The exploit is a multi-step flow: (1) GET /registration/ to harvest form_id, form_save_nonce, and ur_frontend_form_nonce; (2) POST to admin-ajax.php with action=user_registration_user_form_submit to create the user; (3) POST to admin-ajax.php with action=user_registration_membership_register_member to elevate the role to administrator. ↗
- →A successful exploitation response contains the JSON string '"success":true' in the body of the admin-ajax.php membership registration call. ↗
- →Requests include the header 'X-Requested-With: XMLHttpRequest' — filter for unauthenticated (no session cookie) requests to admin-ajax.php with this header and the malicious action values. ↗
- →Wordfence blocked more than 200 exploitation attempts in 24 hours, confirming active in-the-wild exploitation. Prioritize detection on sites running User Registration & Membership <= 5.1.2. ↗
- →Look for newly created WordPress administrator accounts originating from the registration flow (wp_users table entries with wp_capabilities containing 'administrator') that were not created by an existing admin — a post-exploitation artifact. ↗
- →The nonce field extracted from the registration page is named 'ur_frontend_form_nonce' and 'user_registration_form_data_save' — presence of these in POST bodies to admin-ajax.php from unauthenticated sessions is a strong signal. ↗
- ·The vulnerability affects all versions of the User Registration & Membership plugin up to and including 5.1.2. Version 5.1.3 introduced the fix; the current patched release is 5.1.4. ↗
- ·The exploit requires the membership registration feature to be active and a registration page to be publicly accessible (e.g., /registration/). Sites where this page is disabled or restricted may not be exploitable via this exact flow. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6ghq-4j9p-h2v9: The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin
ghsa_unreviewed·2026-03-03
CVE-2026-1492 [CRITICAL] CWE-269 GHSA-6ghq-4j9p-h2v9: The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
VulnCheck
wpeverest user_registration_\&_membership Improper Privilege Management
vulncheck·2026·CVSS 9.8
CVE-2026-1492 [CRITICAL] wpeverest user_registration_\&_membership Improper Privilege Management
wpeverest user_registration_\&_membership Improper Privilege Management
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
Affected: wpeverest User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin
Required Action: Apply r
No detection rules found.
Nuclei
WordPress User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation
nuclei·CVSS 9.8
CVE-2026-1492 [CRITICAL] WordPress User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation
WordPress User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation
User Registration & Membership WordPress plugin <= 5.1.2 contains an improper privilege management vulnerability caused by accepting user-supplied roles without server-side allowlist enforcement, letting unauthenticated attackers create administrator accounts
Template:
id: CVE-2026-1492
info:
name: WordPress User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation
author: omarkurt
severity: critical
description: |
User Registration & Membership WordPress plugin <= 5.1.2 contains an improper privilege management vulnerability caused by accepting user-supplied roles without server-side allowlist enforcement, letting unauthenticated attackers create administrator accounts
impact:
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
Checkpoint
9th March – Threat Intelligence Report
blogs_checkpoint·2026-03-09
CVE-2026-0628 9th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 9th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 9th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
AkzoNobel, a Netherlands-based global paint manufacturer, has confirmed a cyberattack affecting one of its United States sites. The company said the intrusion was contained, while the Anubis ransomware group claimed it stole 170 GB of data, including employee and financial records.
LexisNexis, a global legal data and analytics
Bleepingcomputer
WordPress membership plugin bug exploited to create admin accounts
blogs_bleepingcomputer·2026-03-05·CVSS 9.8
CVE-2026-1492 [CRITICAL] WordPress membership plugin bug exploited to create admin accounts
## WordPress membership plugin bug exploited to create admin accounts
## Bill Toulas
Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites.
Developed by WPEverest, the plugin provides membership and user registration management features, including custom forms, payment integrations with PayPal and Stripe, bank transfers, and analytics.
The security vulnerability is tracked as CVE-2026-1492 and received a critical severity rating of 9.8. Because the plugin accepts a user-supplied role during membership registration, hackers can create administrator accounts without authentication.
An administrator account has full access on the website, and it is required to install plugins and themes, edit P
Wiz
CVE-2026-1492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1492 [CRITICAL] CVE-2026-1492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1492 :
WordPress vulnerability analysis and mitigation
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
Source : NVD
## 9.8
Score
Published March 3, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release
2026-03-03
Published
Exploited in the wild