What is the critical vulnerability in the WordPress User Registration & Membership plugin?

CVE-2026-1492 is a critical vulnerability in the User Registration & Membership plugin (versions up to 5.1.2) that allows unauthenticated attackers to bypass security measures and gain full administrative access to WordPress sites.

How do attackers exploit the User Registration & Membership plugin flaw?

Attackers exploit exposed nonce values in client-side JavaScript to craft malicious requests to the WordPress AJAX endpoint, which are processed without proper authentication or authorization, granting them administrative privileges.

What are the consequences of exploiting this WordPress plugin vulnerability?

Successful exploitation allows attackers to gain unrestricted administrative control, enabling arbitrary code execution, installation of malicious plugins, modification of themes, access to sensitive user data, and creation of persistent admin accounts.

Home / Technology / WordPress Plugin Flaw Grants Full Admin Access Unauthenticated

WordPress Plugin Flaw Grants Full Admin Access Unauthenticated

19 Apr

•

Summary

Plugin flaw allows admin access without login.
Exposed nonces enable unauthorized backend requests.
Sensitive user data exposed after privilege escalation.

WordPress Plugin Flaw Grants Full Admin Access Unauthenticated

A critical vulnerability, CVE-2026-1492, has been discovered in the User Registration & Membership WordPress plugin, impacting versions up to and including 5.1.2. This flaw allows unauthenticated attackers to bypass security controls and achieve full administrative privileges on affected websites.

Experts explain that improper server-side validation and weak authorization checks within the plugin's registration workflow are the root cause. Attackers exploit exposed nonce values found in client-side JavaScript to craft malicious requests targeting the WordPress AJAX endpoint. These requests are processed without proper authentication or authorization verification.