Hackers exploiting WordPress membership plugin bug to create admin accounts
techradar.com
- Critical flaw found in WordPress plugin allowing attackers to register admin accounts unauthenticated
- Over 37,000 sites currently exposed
Tens of thousands of WordPress websites are vulnerable to full site takeover, thanks to a critical-severity vulnerability just discovered in a popular plugin.
Security researchers at Defiant reported finding a bug in User Registration & Membership, a WordPress plugin which helps admins create subscription plans, control user access, and accept payments. The bug is due to the plugin accepting user-supplied roles during membership registration, without properly enforcing a server-side allowlist.
As a result, unauthenticated attackers can create admin accounts by supplying a role value at registration.
Actively abused
The bug is described as “improper privilege management” and is now tracked as CVE- 2026-1492. It has a severity score of 9.8/10 (critical) and affects all versions of the plugin up to, and including, 5.1.2. It ...
Copyright of this story solely belongs to techradar.com . To see the full text click HERE