WordPress plugin flaw exposes 60,000 plus sites to hacker attacks

2026-03-09 - 06:14

A serious security vulnerability in the User Registration & Membership plugin for WordPress is being actively exploited by hackers, putting more than 60,000 websites at risk. The flaw, identified as CVE-2026-1492, carries a severity score of 9.8 and allows attackers to create administrator accounts without authorization, potentially giving them full control over affected websites. The plugin, developed by WPEverest, is commonly used to enable user registration and membership systems on WordPress sites. According to cybersecurity reports, the vulnerability stems from how the plugin processes user roles submitted during the registration process. By manipulating this process, attackers can register themselves as administrators without authentication. Once an administrator account is created, the hackers can take complete control of a website. This includes installing harmful plugins, modifying website content, accessing sensitive data such as user databases, and injecting malware into the system. The security experts have already detected and blocked more than 200 attempted attacks exploiting the vulnerability within a 24-hour period. The issue affects versions up to 5.1.2 of the plugin. Developers have addressed the flaw in version 5.1.3 and later, urging website owners to update immediately. The experts warn that websites built on WordPress remain frequent targets for cyberattacks due to their widespread use. The administrators are advised to install the latest update of the plugin as soon as possible or temporarily disable it if updating cannot be done right away to reduce the risk of compromise.