Critical WordPress Plugin Vulnerability Exploited to Create Admin Accounts Without Authentication

A critical vulnerability in the popular User Registration & Membership plugin for WordPress is actively being exploited by hackers to create unauthorized administrator accounts on more than 60,000 websites worldwide. The flaw, which carries a severity rating of 9.8 out of 10, allows attackers to bypass authentication entirely and gain full administrative control over vulnerable WordPress sites.

The Vulnerability: A Gateway to Complete Site Control

The security flaw, tracked as CVE-2026-1492, exists in the way the User Registration & Membership plugin developed by WPEverest handles membership registration. Specifically, the plugin accepts user-supplied roles during the registration process without proper validation. This critical oversight enables attackers to register new accounts with administrator privileges without needing any form of authentication.

“Once an attacker gains administrator access, they essentially own the website,” explains a security researcher who has been monitoring the exploitation attempts. “They can install any plugin or theme, modify PHP code, change security settings, alter site content, and most concerningly, lock out legitimate administrators.”

The Scope of the Threat

According to data from WordPress security firm Defiant, the maker of the Wordfence security plugin, more than 200 exploitation attempts were blocked in customer environments within just 24 hours of the vulnerability becoming public. This rapid exploitation rate underscores the attractiveness of WordPress sites to malicious actors and the severity of this particular vulnerability.

The User Registration & Membership plugin is installed on over 60,000 WordPress sites, making this a widespread threat. The vulnerability affects all versions of the plugin through 5.1.2, with the developer releasing a patch in version 5.1.3. As of now, the latest secure version is 5.1.4, released last week.

What Attackers Can Do With Admin Access

Administrator-level access to a WordPress site opens the door to a wide range of malicious activities. With this level of control, attackers can:

• Steal sensitive data: Access the entire database of registered users, including email addresses, names, and potentially payment information if the site handles transactions
• Distribute malware: Embed malicious code that can infect visitors’ devices when they access the compromised site
• Launch phishing campaigns: Use the legitimate domain to host convincing phishing pages that can bypass security filters
• Host command-and-control infrastructure: Use the compromised site as a base for controlling other infected systems
• Proxy malicious traffic: Route criminal activities through the legitimate site to hide their tracks
• Store stolen data: Use the site’s storage capabilities to house information stolen from other breaches
• Create backdoors: Install hidden access points that allow continued access even if the initial vulnerability is patched

The Broader Context: WordPress Under Constant Attack

This vulnerability is not an isolated incident but part of a broader pattern of attacks targeting WordPress sites. WordPress powers approximately 43% of all websites on the internet, making it an extremely attractive target for cybercriminals. The platform’s popularity, combined with the vast ecosystem of plugins and themes, creates numerous potential attack vectors.

In January 2026, just months before this vulnerability was discovered, hackers began exploiting another maximum-severity flaw (CVE-2026-23550) in the Modular DS WordPress plugin. That vulnerability similarly allowed attackers to bypass authentication remotely and gain administrator-level access to vulnerable sites.

“These are not one-off incidents,” notes a WordPress security specialist. “We’re seeing a systematic targeting of WordPress installations, particularly through third-party plugins. The plugin ecosystem, while incredibly powerful and flexible, introduces significant security risks when plugins are not properly maintained or when vulnerabilities slip through the development process.”

Immediate Actions Required for Site Administrators

For administrators of WordPress sites using the User Registration & Membership plugin, immediate action is essential. The security community recommends the following steps:

1. Update immediately: If possible, update the plugin to version 5.1.4 or later. This is the most straightforward and effective solution.
2. Temporary workarounds: If updating is not immediately possible due to compatibility issues or other constraints, consider temporarily disabling or uninstalling the plugin until you can apply the update.
3. Monitor user accounts: Check for any suspicious new administrator accounts that may have been created during the window of vulnerability.
4. Review site integrity: Examine your site for any unauthorized changes to content, plugins, or themes that might indicate a compromise.
5. Change passwords: As a precautionary measure, change all administrator passwords and consider implementing two-factor authentication if not already in place.

The Developer Response

WPEverest, the developer of the User Registration & Membership plugin, responded promptly to the disclosure of the vulnerability. Version 5.1.3 was released with the necessary security patches, followed by version 5.1.4 with additional improvements and bug fixes. The quick response demonstrates the importance of maintaining active relationships between plugin developers and the security community.

However, this incident highlights the ongoing challenge of securing the WordPress plugin ecosystem. With thousands of plugins developed by various teams with different levels of security expertise and resources, maintaining consistent security standards across the platform remains a significant challenge.

Looking Forward: The Future of WordPress Security

As WordPress continues to dominate the content management system market, the security challenges it faces will likely intensify. The community is responding with various initiatives aimed at improving security, including:

• Enhanced security scanning: More rigorous security testing for plugins before they’re listed in the official repository
• Automated vulnerability detection: Development of tools that can automatically identify common vulnerability patterns in plugin code
• Security bounties: Programs that reward security researchers for responsibly disclosing vulnerabilities
• Education and awareness: Increased focus on educating developers and site administrators about security best practices

The discovery and exploitation of CVE-2026-1492 serve as a stark reminder that in the digital landscape, security is not a destination but an ongoing journey. For WordPress site administrators, staying informed about potential vulnerabilities and maintaining up-to-date installations of plugins and themes is no longer optional—it’s an essential part of managing a web presence in an increasingly hostile digital environment.

As one security expert puts it: “In today’s threat landscape, the question isn’t if you’ll be targeted, but when. The best defense is preparation, vigilance, and rapid response when vulnerabilities are discovered.”

Tags: WordPress security, plugin vulnerability, CVE-2026-1492, admin account takeover, website hacking, cybersecurity threat, WPEverest plugin, User Registration & Membership, WordPress admin access, critical security flaw, website compromise, malware distribution, phishing attacks, command-and-control servers, WordPress plugin security

Viral Phrases: “WordPress sites under siege,” “Hackers create admin accounts without passwords,” “Critical 9.8 severity vulnerability,” “60,000+ websites at risk,” “Bypass authentication completely,” “Full site control stolen,” “Exploitation in just 24 hours,” “WordPress security nightmare,” “Plugin vulnerability epidemic,” “Administrator access without login,” “WordPress sites hacked at scale,” “Security flaw of the year,” “Website owners panic,” “WordPress ecosystem under attack,” “Immediate update required,” “Digital apocalypse for WordPress,” “Plugin security disaster,” “WordPress vulnerability crisis,” “Cybercriminals target WordPress,” “Website security emergency”

,