Plataforma
wordpress
Componente
user-registration
Corrigido em
5.1.3
CVE-2026-1492 is a critical privilege escalation vulnerability discovered in the User Registration & Membership plugin for WordPress. This flaw allows unauthenticated attackers to bypass access controls and create administrator accounts, granting them complete control over the affected WordPress site. The vulnerability impacts versions 0.0.0 through 5.1.2, and a patch is available in version 5.1.3.
The impact of CVE-2026-1492 is severe. Successful exploitation allows an attacker to gain full administrative access to the WordPress site without needing any prior credentials. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially pivot to other systems on the network. The attacker could effectively take over the entire website and use it for malicious purposes, such as phishing, malware distribution, or defacement. This vulnerability is particularly concerning given the widespread use of WordPress and the plugin's popularity.
CVE-2026-1492 was published on March 3, 2026. The vulnerability's severity is confirmed as CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge quickly given the ease of exploitation. While no active campaigns have been publicly reported as of this writing, the vulnerability's simplicity and high severity make it a prime target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Status do Exploit
EPSS
24.71% (percentil 96%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-1492 is to immediately upgrade the User Registration & Membership plugin to version 5.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting the roles that can be assigned during membership registration through code modifications (if possible) or by disabling the custom registration form builder feature. Monitor WordPress logs for suspicious activity, particularly attempts to register users with administrative roles. After upgrading, verify the fix by attempting to register a new user with an administrator role – the registration should fail.
Atualize para a versão 5.1.3, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-1492 is a critical vulnerability in the User Registration & Membership plugin for WordPress that allows unauthenticated attackers to create administrator accounts, granting them full control over the website.
You are affected if your WordPress site uses the User Registration & Membership plugin and is running version 5.1.2 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade the User Registration & Membership plugin to version 5.1.3 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting roles during registration.
While no active campaigns have been publicly reported, the vulnerability's simplicity and high severity make it a likely target for attackers. Continuous monitoring is recommended.
Refer to the official WordPress security announcements and the plugin developer's website for the latest information and advisory regarding CVE-2026-1492.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.