Exploitation of CVE-2026-1492 in WordPress User Registration & Membership Plugin Enables Admin Account Creation
Active exploitation has been reported against CVE-2026-1492 in the User Registration & Membership WordPress plugin (WPEverest), allowing unauthenticated privilege escalation by submitting a user-controlled role value during membership registration. The flaw affects versions through 5.1.2 and enables attackers to create administrator accounts, which can then be used to install plugins/themes, modify PHP code and security settings, exfiltrate site/user data, and potentially implant malware or backdoors. Wordfence/Defiant telemetry cited in reporting indicates exploitation attempts were observed and blocked at scale in customer environments.
A fix was released in 5.1.3 (with 5.1.4 available), and the recommended mitigation is to update immediately or temporarily disable/uninstall the plugin if patching is not possible. Other WordPress plugin CVEs in the provided material—CVE-2026-1321 (Restrict Content unauth privilege escalation via rcp_level), CVE-2026-1720 (WowOptin missing authorization enabling Subscriber+ arbitrary plugin installation), and CVE-2026-2628 (All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login authentication bypass)—are separate issues and should be tracked independently, as they do not describe the same exploited vulnerability affecting User Registration & Membership (CVE-2026-1492).
Timeline
Mar 5, 2026
Public reports warn CVE-2026-1492 is being actively exploited
Security outlets reported that CVE-2026-1492 was under active exploitation and affects more than 60,000 WordPress sites using the User Registration & Membership plugin. The reports urged defenders to update, remove the plugin if necessary, and audit sites for unauthorized administrator accounts.
Mar 4, 2026
Wordfence detects active exploitation attempts against customer sites
Defiant said it blocked more than 200 attempts to exploit CVE-2026-1492 in customer environments over a 24-hour period. The activity showed attackers were actively trying to create administrator accounts on vulnerable WordPress sites.
Mar 3, 2026
Wordfence receives and records CVE-2026-1492 vulnerability report
The vulnerability record states that security@wordfence.com received the CVE-2026-1492 report on March 3, 2026. The issue was documented as a critical flaw with CVSS 9.8 and linked to WordPress plugin Trac and Wordfence references.
Mar 3, 2026
Vendor fixes CVE-2026-1492 in User Registration & Membership 5.1.3
The plugin vendor released version 5.1.3 to restrict assignable roles during registration and remediate CVE-2026-1492. Administrators were later advised to update to the latest available version, 5.1.4, or disable the plugin if they could not patch immediately.
Mar 3, 2026
Researcher Foxyyy discovers privilege-escalation flaw in WordPress plugin
A critical improper privilege management vulnerability was identified in the User Registration & Membership WordPress plugin, affecting versions through 5.1.2. The flaw allows unauthenticated users to supply a privileged role during registration and create administrator accounts.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
1 months ago
WordPress Plugin Flaws Enable Privilege Escalation to Administrator
Two newly disclosed vulnerabilities in WordPress plugins can let attackers elevate privileges to **Administrator** by abusing improper handling of user profile metadata. `CVE-2026-4261` affects **Expire Users** through version `1.2.2`, where the `save_extra_user_profile_fields` function allows modification of the `on_expire_default_to_role` meta value; an authenticated attacker with **Subscriber-level access or higher** can exploit the flaw to gain full administrative control. The issue was classified as `CWE-862` and carries a high-severity `CVSS v3.1` score with the vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. A second flaw, `CVE-2026-3629`, impacts **Import and export users and customers** through version `1.29.7` and can, under specific conditions, allow even **unauthenticated** attackers to become administrators. The plugin's `save_extra_user_profile_fields` logic fails to block sensitive keys such as `wp_capabilities` because `get_restricted_fields` does not restrict them, enabling a crafted registration request to assign elevated privileges when **"Show fields in profile"** is enabled and a previously imported CSV included a `wp_capabilities` column header. That vulnerability was classified as `CWE-269` with a `CVSS v3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`.
1 months ago
Unauthenticated Privilege Escalation in WordPress *Advanced Custom Fields: Extended* (CVE-2025-14533)
A critical vulnerability, **CVE-2025-14533**, was disclosed in the WordPress plugin *Advanced Custom Fields: Extended* affecting versions **<= 0.9.2.1**. The issue is an **unauthenticated privilege escalation** in the plugin’s user-form handling, where the `insert_user` logic does not properly restrict which roles can be assigned during registration; as a result, an attacker can submit a registration request specifying the **`administrator`** role and obtain full administrative access under certain configurations. Reporting indicates exploitation depends on site configuration: the flaw is reachable when a form is set up such that the **`role`** value is mapped to a custom field / user role field is present in the form. The weakness was identified by **Andrea Bocchetti** via the **Wordfence Bug Bounty Program**, and is associated with **CWE-269 (Improper Privilege Management)**; once admin access is obtained, attackers can fully compromise the site (e.g., upload malicious plugins/themes, plant backdoors, or alter content for redirects).
1 months ago