Hackers Exploit WordPress Membership Plugin Flaw to Create Admin Accounts

Hackers Taking Advantage of Vulnerability in WordPress Membership Plugin to Generate Admin Accounts

Last updated on March 8, 2026March 9, 2026 by RS Web Solutions on Categories WordPress

Table of Contents

Critical Vulnerability in WordPress Plugin Poses Major Security Risk

Severe flaw detected in WordPress plugin enables unauthorized admin registrations
Over 37,000 websites are potentially compromised

A significant security vulnerability has been uncovered in a widely used WordPress plugin, exploiting an unchecked parameter that permits unauthorized individuals to gain administrative powers over affected sites.

According to security experts from Defiant, the critical flaw resides in the User Registration & Membership plugin, which facilitates administrators in creating subscription frameworks, managing user access, and processing payments.

This vulnerability is attributable to the plugin’s failure to adequately enforce role validation at the server level during the registration process.

This oversight permits unauthorized attackers to create admin accounts simply by submitting a role value during registration.

Exploitation in Progress

The vulnerability has been categorized as “improper privilege management” and is designated as CVE-2026-1492, boasting a severity rating of 9.8 out of 10. This issue impacts all versions of the plugin up to, and including, 5.1.2. Fortunately, a patch is available in version 5.1.3.

Research indicates that within a mere 24 hours, cybercriminals executed over 200 attempts to exploit this vulnerability, underscoring a heightened awareness among malicious actors seeking to target vulnerable websites.

Moreover, the attack surface is substantial, with the official WordPress repository noting that the User Registration & Membership plugin has been installed on over 60,000 active websites, the bulk of which (62.7%) are operating on versions 4.4 or older.

This indicates that a minimum of 37,000 websites remain susceptible to this critical flaw.

Compounding the issue, the plugin’s page does not differentiate between versions 5.1.2 and 5.1.3, suggesting that the actual number of vulnerable sites could be significantly higher.

With administrative credentials, malicious actors can unleash severe ramifications, including the theft of sensitive information, employing the site to disseminate malware, redirecting legitimate traffic to nefarious domains laden with ads, and duping users into divulging their login credentials, among other alarming possibilities.

Source link: Techradar.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

RS Web Solutions

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.