Cybersecurity researchers have discovered a critical vulnerability in the WordPress plugin User Registration & Membership, identified as CVE-2026-1492, affecting over 60,000 websites. This flaw allows any user to create an account with elevated privileges and gain full control over the site, putting both content and user data at risk.
How the Vulnerability Works?
The issue exploits the account registration process, enabling an attacker to assign themselves an administrator role directly. With these privileges, an attacker can modify content, install malicious plugins, or even remove legitimate administrators.
Affected Versions and How to Fix
The vulnerability affects all plugin versions up to 5.1.2 inclusive. A patch has been released in version 5.1.3, and the latest available version is 5.1.4. The paid Pro version is not affected. Website administrators are strongly advised to update the plugin immediately to prevent potential exploitation.
Additional Vulnerability in Other Plugins
Another vulnerability, CVE-2026-2628, was also discovered in the plugin All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login. This flaw allows attackers to bypass authentication and log in as other users, including administrators.
Security Tips for WordPress Users
- Update all plugins immediately after security patches are released.
- Use robust user permission management plugins.
- Monitor login logs and suspicious activities on your site.
- Implement regular backups to protect your data.