Hackers exploiting WordPress membership plugin bug to create admin accounts

News
By published

A popular WordPress plugin can be abused to take over websites

WordPress logo on mobile
(Image credit: Shutterstock)
  • Critical flaw found in WordPress plugin allowing attackers to register admin accounts unauthenticated
  • Over 37,000 sites currently exposed

Tens of thousands of WordPress websites are vulnerable to full site takeover, thanks to a critical-severity vulnerability just discovered in a popular plugin.

Security researchers at Defiant reported finding a bug in User Registration & Membership, a WordPress plugin which helps admins create subscription plans, control user access, and accept payments. The bug is due to the plugin accepting user-supplied roles during membership registration, without properly enforcing a server-side allowlist.

As a result, unauthenticated attackers can create admin accounts by supplying a role value at registration.

Actively abused

The bug is described as “improper privilege management” and is now tracked as CVE- 2026-1492. It has a severity score of 9.8/10 (critical) and affects all versions of the plugin up to, and including, 5.1.2. It was fixed in version 5.1.3 which is now available for download.

The researchers said they saw more than 200 attempts to exploit this vulnerability in just 24 hours, suggesting that cybercriminals are well aware of the flaw and are actively looking for exposed websites.

The attack surface is rather large, too, as according to the official WordPress repository, User Registration & Membership is installed on more than 60,000 active websites, and the vast majority (62.7%) are running versions 4.4 and older.

That means at least 37,000 websites are currently susceptible to the improper privilege management bug.

To make matters worse, the plugin page does not differentiate between versions 5.1.2 and 5.1.3, so it is quite possible that the actual number of vulnerable websites is even greater.

With an admin account, threat actors can wreak all sorts of havoc, from exfiltrating sensitive data, to using the website as a host for malware. They can also redirect legitimate traffic to malicious websites ridden with ads, can trick users into sharing login credentials, and more.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.