Platform
wordpress
Component
user-registration
Fixed in
5.1.3
CVE-2026-1492 is a critical privilege escalation vulnerability discovered in the User Registration & Membership plugin for WordPress. This flaw allows unauthenticated attackers to bypass access controls and create administrator accounts, granting them complete control over the affected WordPress site. The vulnerability impacts versions 0.0.0 through 5.1.2, and a patch is available in version 5.1.3.
The impact of CVE-2026-1492 is severe. Successful exploitation allows an attacker to gain full administrative access to the WordPress site without needing any prior credentials. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially pivot to other systems on the network. The attacker could effectively take over the entire website and use it for malicious purposes, such as phishing, malware distribution, or defacement. This vulnerability is particularly concerning given the widespread use of WordPress and the plugin's popularity.
CVE-2026-1492 was published on March 3, 2026. The vulnerability's severity is confirmed as CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge quickly given the ease of exploitation. While no active campaigns have been publicly reported as of this writing, the vulnerability's simplicity and high severity make it a prime target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
24.71% (96% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1492 is to immediately upgrade the User Registration & Membership plugin to version 5.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting the roles that can be assigned during membership registration through code modifications (if possible) or by disabling the custom registration form builder feature. Monitor WordPress logs for suspicious activity, particularly attempts to register users with administrative roles. After upgrading, verify the fix by attempting to register a new user with an administrator role – the registration should fail.
Update to version 5.1.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1492 is a critical vulnerability in the User Registration & Membership plugin for WordPress that allows unauthenticated attackers to create administrator accounts, granting them full control over the website.
You are affected if your WordPress site uses the User Registration & Membership plugin and is running version 5.1.2 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade the User Registration & Membership plugin to version 5.1.3 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting roles during registration.
While no active campaigns have been publicly reported, the vulnerability's simplicity and high severity make it a likely target for attackers. Continuous monitoring is recommended.
Refer to the official WordPress security announcements and the plugin developer's website for the latest information and advisory regarding CVE-2026-1492.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.