Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
WordPress User Registration & Membership plugin lets attackers log in new users
CVE-2026-1779
Summary
A security issue in the User Registration & Membership plugin for WordPress allows an attacker to log in as a newly registered user without a password. This can happen if the 'urm_user_just_created' user meta is set. To fix this, update the plugin to version 5.1.3 or later.
Original title
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_memb...
Original description
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.
nvd CVSS3.1
8.1
Vulnerability type
CWE-288
Authentication Bypass Using Alternate Path
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026