A critical security flaw in a widely used WordPress plugin allows unauthenticated attackers to bypass authentication controls and gain full administrative access to affected websites.
The vulnerability, tracked as CVE-2026-1492, affects the User Registration & Membership plugin, versions 5.1.2 and earlier.
Experts at Cyfirma say improper server-side validation and weak authorization checks within the membership registration workflow create this dangerous gap.
Article continues below
Attackers can abuse exposed client-side data and insufficient backend validation to manipulate parameters that directly influence authentication and privilege assignment.
The vulnerability stems from trusting user-controlled input rather than enforcing strict server-side validation.
Backend endpoints process membership-related actions without proper authentication or authorization checks.
This weakness becomes dangerous because exposed nonce values within client-side JavaScript are accessible to unauthenticated users.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Attackers can then reuse these nonce values in crafted requests to manipulate backend behavior, even for website builders.
By inspecting these values, attackers can construct malicious requests targeting the WordPress AJAX endpoint at /wp-admin/admin-ajax.php.
The backend processes these requests without verifying the request origin or authorization state.
This results in automatic authentication and privilege escalation, where administrative access is granted without any legitimate login process taking place.
Successful exploitation grants attackers unrestricted administrative privileges over the entire WordPress environment.
With this level of access, attackers can install malicious plugins and modify themes to execute arbitrary code.
They can also access sensitive user data, including credentials and configuration files.
Hidden admin accounts can be created to ensure persistent access even after initial detection.
These attackers can also redirect website visitors to phishing pages or malware distribution sites.
Website defacement, content tampering, and malicious script injection become trivial once administrative control is established.
All versions of the User Registration & Membership plugin up to and including version 5.1.2 are vulnerable to this flaw - but the issue has been addressed in version 5.1.3 through improved validation and authorization mechanisms — so website administrators must update immediately.
After updating, administrators should review existing user accounts, especially those with administrative privileges, which will help identify any unauthorized accounts created before patching.
Suspicious sessions should be invalidated, and credentials reset if compromise is suspected.
The vulnerability carries a CVSS v4.0 score of 9.8 out of 10, indicating critical severity.
Observed discussions in underground forums show active interest in exploiting this vulnerability.
Hackers are already sharing exploitation techniques among themselves and discussing automation strategies.
Initial Access Brokers may leverage this flaw to obtain administrative access and resell it for ransomware deployment, SEO spam campaigns, or credential harvesting operations.
Given the low complexity of exploitation and public awareness of the technique, website owners running the affected plugin should treat their systems as actively at risk and prioritize remediation immediately.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。