Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
WordPress User Registration Plugin Creates Admin Accounts Without Permission
Exploitation likelihood: 11%
CVE-2026-1492
Summary
A security issue in the User Registration & Membership plugin for WordPress allows attackers to create administrator accounts without permission. This is a concern because an attacker could gain full control of a website. To fix this, update the plugin to the latest version, which includes a patch for this issue.
Original title
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privil...
Original description
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
nvd CVSS3.1
9.8
Vulnerability type
CWE-269
Improper Privilege Management
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026