A critical security vulnerability in the User Registration & Membership WordPress plugin allows unauthenticated attackers to bypass authentication and gain full administrative control over affected websites.

Key Points

• The flaw, tracked as CVE-2026-1492, affects all versions of the User Registration & Membership plugin up to and including version 5.1.2.
• Attackers exploit exposed nonce values and insufficient server-side validation to execute unauthorized requests via the /wp-admin/admin-ajax.php endpoint.
• Successful exploitation grants full administrative privileges, enabling attackers to install malicious plugins, steal sensitive user data, and inject arbitrary code.
• The vulnerability carries a critical CVSS v4.0 score of 9.8, with reports indicating active interest and discussion of exploitation techniques in underground forums.
• Administrators must update the plugin to version 5.1.3 immediately and audit existing user accounts for any unauthorized administrative access.

Why it Matters

This vulnerability poses a severe risk to website integrity because it allows attackers to compromise entire WordPress environments without requiring any legitimate credentials. Given the ease of exploitation and the potential for ransomware or data theft, immediate patching is essential to prevent unauthorized persistent access.