'Update immediately': 60,000 WordPress websites at risk after experts discover flaw that allows hackers to create hidden admin accounts

• User Registration & Membership plugin flaw allows attackers to gain admin access without login
• Exposed nonce values enable unauthorized backend requests and privilege escalation
• Sensitive user data becomes exposed once administrative privileges are obtained

A critical security flaw in a widely used WordPress plugin allows unauthenticated attackers to bypass authentication controls and gain full administrative access to affected websites.

The vulnerability, tracked as CVE-2026-1492, affects the User Registration & Membership plugin, versions 5.1.2 and earlier.

Experts at Cyfirma say improper server-side validation and weak authorization checks within the membership registration workflow create this dangerous gap.

How attackers exploit the vulnerability without any credentials

Attackers can abuse exposed client-side data and insufficient backend validation to manipulate parameters that directly influence authentication and privilege assignment.

The vulnerability stems from trusting user-controlled input rather than enforcing strict server-side validation.

Backend endpoints process membership-related actions without proper authentication or authorization checks.

This weakness becomes dangerous because exposed nonce values within client-side JavaScript are accessible to unauthenticated users.

Attackers can then reuse these nonce values in crafted requests to manipulate backend behavior, even for website builders.

By inspecting these values, attackers can construct malicious requests targeting the WordPress AJAX endpoint at /wp-admin/admin-ajax.php.

The backend processes these requests without verifying the request origin or authorization state.

This results in automatic authentication and privilege escalation, where administrative access is granted without any legitimate login process taking place.

Successful exploitation grants attackers unrestricted administrative privileges over the entire WordPress environment.

With this level of access, attackers can install malicious plugins and modify themes to execute arbitrary code.

They can also access sensitive user data, including credentials and configuration files.

Hidden admin accounts can be created to ensure persistent access even after initial detection.

These attackers can also redirect website visitors to phishing pages or malware distribution sites.

Website defacement, content tampering, and malicious script injection become trivial once administrative control is established.

All versions of the User Registration & Membership plugin up to and including version 5.1.2 are vulnerable to this flaw - but the issue has been addressed in version 5.1.3 through improved validation and authorization mechanisms — so website administrators must update immediately.

After updating, administrators should review existing user accounts, especially those with administrative privileges, which will help identify any unauthorized accounts created before patching.

Suspicious sessions should be invalidated, and credentials reset if compromise is suspected.

The vulnerability carries a CVSS v4.0 score of 9.8 out of 10, indicating critical severity.

Observed discussions in underground forums show active interest in exploiting this vulnerability.

Hackers are already sharing exploitation techniques among themselves and discussing automation strategies.

Initial Access Brokers may leverage this flaw to obtain administrative access and resell it for ransomware deployment, SEO spam campaigns, or credential harvesting operations.

Given the low complexity of exploitation and public awareness of the technique, website owners running the affected plugin should treat their systems as actively at risk and prioritize remediation immediately.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.