Attack Vectors
CVE-2026-1492 is a Critical vulnerability (CVSS 9.8) affecting the WordPress plugin User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder (slug: user-registration) in versions up to and including 5.1.2.
The primary attack vector is the public-facing membership registration flow. An unauthenticated attacker can submit a registration request that includes a user-supplied role value, attempting to register a new account with elevated privileges. Because the attacker does not need valid credentials or user interaction to trigger the issue, internet-exposed sites using affected versions are at heightened risk.
For marketing-led organizations, this matters most when registration is enabled to support lead capture, gated content, community access, subscription signups, or partner portals—common growth strategies that also increase exposure if the plugin is not patched.
Security Weakness
The underlying weakness is improper privilege management during membership registration. In affected versions (≤ 5.1.2), the plugin accepts a role provided by the registering user and does not properly enforce a server-side allowlist of safe roles.
As a result, an unauthenticated attacker can potentially create an administrator account by supplying an administrator-equivalent role value during registration. This is a direct path to full site control, which is why the severity is rated Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Technical or Business Impacts
If exploited, this issue can provide attackers administrator-level access, enabling broad and immediate compromise of a WordPress site. Practically, that can include changing site content, creating or deleting user accounts, installing or modifying plugins, and altering security settings—actions that can disrupt operations and undermine trust.
From a business-risk perspective, the impacts often extend beyond the website: brand damage from defaced pages or malicious redirects, lost revenue from downtime or checkout disruptions, and increased customer support burden. For regulated organizations, unauthorized access can also raise compliance concerns (e.g., incident reporting obligations) depending on what data and integrations the WordPress instance can access.
Recommended action: update the User Registration & Membership plugin to version 5.1.3 or newer (patched). Prioritize this as an urgent fix due to the vulnerability’s unauthenticated nature and Critical severity.
Similar Attacks
Unauthenticated privilege escalation and account creation flaws have been a recurring driver of WordPress compromises. Examples of real, documented cases include:
CVE-2023-27372 (S3Bubble Media Streaming) — unauthenticated privilege escalation
CVE-2024-27956 (WordPress Automatic plugin) — unauthenticated issues widely discussed and tracked
Recent Comments