Critical WordPress membership plugin vulnerability enables full site takeover
Tens of thousands of WordPress websites are exposed to a critical-severity vulnerability in the User Registration & Membership plugin, which is used to create subscription plans, control user access, and accept payments. Security researchers at Defiant reported the issue, warning it can lead to full website takeover.
The core problem is simple but brutal: the plugin accepts user-supplied roles during membership registration without properly enforcing a server-side allowlist. That means an attacker can register and, during that process, supply a role value that effectively grants administrator-level privileges.
And because the registration flow can be reached without authentication, it turns into the kind of vulnerability attackers love—low friction, high impact.
How the bug works: user-supplied role accepted without a server-side allowlist
Improper privilege management in membership registration
Defiant described the flaw as “improper privilege management”. In practice, the plugin’s registration logic allows a user to provide a role value, but it doesn’t reliably constrain that value to a safe list on the server side.
So instead of being limited to a normal membership role, an unauthenticated attacker can submit a registration request that includes an elevated role and end up with an admin account.
Unauthenticated admin account creation is the worst-case scenario
When a vulnerability lets an attacker create an administrator account without logging in first, the usual “security issue” language doesn’t really capture what’s happening. Admin access is the keys to everything.
Once a malicious admin exists, the site isn’t “at risk.” It’s effectively owned.
CVE-2026-1492 details: severity, affected versions, and the fixed release
CVE tracking and critical score
The vulnerability is tracked as CVE-2026-1492 and carries a 9.8/10 severity score (critical).
Affected plugin versions
The flaw affects all versions up to and including 5.1.2.
Fixed version available
The issue is fixed in version 5.1.3, which is available for download.
Active exploitation signals: 200+ exploit attempts in 24 hours
Defiant researchers observed more than 200 attempts to exploit this vulnerability in just 24 hours. That kind of volume is a loud signal that attackers aren’t merely “testing” it—they’re actively hunting for exposed sites.
In other words: if your site is vulnerable and reachable, it’s reasonable to assume someone will try it.
How many WordPress sites are exposed: install base, older versions, and the 37,000 estimate
Plugin adoption expands the attack surface
According to the official WordPress repository, User Registration & Membership is installed on more than 60,000 active websites. That makes this a high-value target for attackers: one exploit path, tens of thousands of potential victims.
Older versions dominate current installations
The situation gets worse because the “vast majority” of installations—62.7%—are running versions 4.4 and older.
Estimated vulnerable sites
Based on the reported numbers, at least 37,000 websites are currently susceptible to this improper privilege management bug.
Version confusion may hide the true vulnerable count
One extra complication: the plugin page reportedly does not differentiate between versions 5.1.2 and 5.1.3. That makes it harder for site owners to quickly verify whether they’re on the fixed release, and it raises the possibility that the real number of vulnerable sites is even higher than the estimate.
What attackers can do with a WordPress admin account after exploitation
Once threat actors have an admin account, Defiant warned they can cause serious damage across multiple fronts:
Data exfiltration and access to sensitive information
With admin-level control, attackers can exfiltrate sensitive data from the site. If the site is handling memberships, subscriptions, or payments, the potential value of what’s accessible goes up fast.
Malware hosting and abuse of site reputation
Attackers can use the compromised website as a host for malware, turning a legitimate domain into infrastructure for broader campaigns.
Traffic redirection, ad abuse, and credential theft
Threat actors can redirect legitimate traffic to malicious websites “ridden with ads,” and they can also trick users into sharing login credentials. That’s the kind of downstream harm that doesn’t just hit the site owner—it hits visitors too.