Critical Privilege Escalation Vulnerability Reported in WordPress User Registration Plugin
Take action: If you are using User Registration & Membership plugin, this is urgent. Update to version 5.1.3 immediately, because this is an actively exploited flaw. If you can't update, disable user registration.
Learn More
A critical security vulnerability is reported in the User Registration & Membership plugin for WordPress. This flaw allows unauthenticated individuals to bypass security protocols and register themselves with the highest level of site permissions.
The vulnerability is tracked as CVE-2026-1492 (CVSS score 9.8) - An improper privilege management vulnerability that allows unauthenticated privilege escalation. The plugin accepts a user-supplied role during the membership registration process but fails to validate that role against a server-side allowlist. By injecting the "administrator" value in the registration request, an attacker can force the system to grant them full administrative rights without any credentials or approval.
Security researchers at Wordfence have already observed active attempts to exploit this vulnerability in the wild, highlighting the immediate risk to site owners.
Successful exploit is total system compromise, as an attacker with administrator access can perform any action on the WordPress site.
The vulnerability affects all versions of the User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin up to and including version 5.1.2.
Administrators must update to version 5.1.3 or newer immediately to mitigate this threat. If an immediate update is not possible, site owners should consider disabling user registration or using a web application firewall to block suspicious registration requests containing privileged role parameters.
