WordPress Plugin Flaw Grants Full Admin Access Unauthenticated

A critical vulnerability, CVE-2026-1492, has been discovered in the User Registration & Membership WordPress plugin, impacting versions up to and including 5.1.2. This flaw allows unauthenticated attackers to bypass security controls and achieve full administrative privileges on affected websites.

Experts explain that improper server-side validation and weak authorization checks within the plugin's registration workflow are the root cause. Attackers exploit exposed nonce values found in client-side JavaScript to craft malicious requests targeting the WordPress AJAX endpoint. These requests are processed without proper authentication or authorization verification.

Successful exploitation grants attackers unrestricted administrative control, enabling them to execute arbitrary code, install malicious plugins, modify themes, and access sensitive user data. Persistent access can be ensured by creating hidden admin accounts. The vulnerability has a critical CVSS v4.0 score of 9.8, and active exploitation discussions are occurring in underground forums, highlighting the immediate need for administrators to update to version 5.1.3.