Admin Account Backdoor: Critical Privilege-Flaw in WordPress User Registration Plugin (CVE-2026-1492)

A critical security flaw in a widely used WordPress membership plugin has made it trivially simple for unauthenticated attackers to create administrator accounts and seize control of affected sites. The vulnerability, tracked as CVE-2026-1492, exposes a systemic weakness in how the plugin handled role assignment during user registration. This post summarizes what happened, who discovered it, the immediate risks, and the concrete steps site owners should take now.

What the flaw is and how it works

The vulnerability stems from improper privilege management in the User Registration Membership plugin for WordPress. When the plugin processed new registrations, it accepted a role value supplied by the registering user without enforcing a server-side allowlist. In short, the plugin failed to verify whether the requested role was permitted. Because of that omission, an attacker can submit a registration request that assigns the administrator role to the new account. No prior authentication is required to exploit the flaw, which makes it especially dangerous: it allows full site takeover from an unauthenticated request.

Severity and evidence of exploitation

Security researcher Foxyyy publicly disclosed the issue and assigned a severity rating that corresponds to a high CVSS score (reported as 9.8). Security vendors, including Wordfence, noted active exploitation in the wild; detections blocked dozens of attempts in short windows following disclosure. The combination of an unauthenticated vector plus an easy path to privileged access explains both the high severity and the observed attack activity.

Versions affected and related issues

The vulnerability affected plugin versions up to and including 5.1.2. Separately, version 5.1.2 also contained an authentication bypass tracked as CVE-2026-1779, compounding the risk for sites that had not been updated. The vendor released an update that addresses the role-assignment issue by restricting which roles can be assigned during registration; users should move to version 5.1.3 or later.

Real-world impact

If exploited, an attacker who successfully registers an administrator account can:

Modify site content and settings
Exfiltrate or manipulate user data
Install malicious plugins, themes, or backdoors to maintain persistence
Create additional privileged accounts to make recovery harder

Because exploitation requires no login, any site running a vulnerable version is at immediate risk until patched.

Timeline and disclosure

The vulnerability was disclosed in early March 2026. The vendor issued a patch (version 5.1.3) shortly after disclosure, and security vendors updated advisories recommending immediate updates. Foxyyy is credited with discovery and disclosure; Wordfence and other threat intelligence feeds reported on active exploitation and mitigation guidance.

Immediate actions for site owners (must-do)

Update the plugin immediately to version 5.1.3 or later. Applying the vendor patch is the primary and most effective mitigation.
Audit user accounts for unauthorized administrator profiles. Remove any accounts you did not explicitly create or authorize.
Review recent registration logs for suspicious role parameters or an unusual spike in registrations.
Rotate credentials for administrative users and consider resetting API keys and other sensitive tokens.
Scan the site for indicators of compromise: unexpected PHP files, modified core or plugin files, scheduled tasks, and new admin accounts.
If you detect a compromise, take the site offline or put it in maintenance mode while you investigate, and consider restoring from a known-good backup created before the compromise.
Enable multi-factor authentication for admin users to reduce risk of continued unauthorized access if credentials were exposed.