- Critical flaw found in WordPress plugin allowing attackers to register admin accounts unauthenticated
- Over 37,000 sites currently exposed
Tens of thousands of WordPress websites are vulnerable to full site takeover, thanks to a critical-severity vulnerability just discovered in a popular plugin.
Security researchers at Defiant reported finding a bug in User Registration & Membership, a WordPress plugin which helps admins create subscription plans, control user access, and accept payments. The bug is due to the plugin accepting user-supplied roles during membership registration, without properly enforcing a server-side allowlist.
As a result, unauthenticated attackers can create admin accounts by supplying a role value at registration.
Actively abused
The bug is described as “improper privilege management” and is now tracked as CVE- 2026-1492. It has a severity score of 9.8/10 (critical) and affects all versions of the plugin up to, and including, 5.1.2. It was fixed in version 5.1.3 which is now available for download.
The researchers said they saw more than 200 attempts to exploit this vulnerability in just 24 hours, suggesting that cybercriminals are well aware of the flaw and are actively looking for exposed websites.
The attack surface is rather large, too, as according to the official WordPress repository, User Registration & Membership is installed on more than 60,000 active websites, and the vast majority (62.7%) are running versions 4.4 and older.
That means at least 37,000 websites are currently susceptible to the improper privilege management bug.
To make matters worse, the plugin page does not differentiate between versions 5.1.2 and 5.1.3, so it is quite possible that the actual number of vulnerable websites is even greater.
With an admin account, threat actors can wreak all sorts of havoc, from exfiltrating sensitive data, to using the website as a host for malware. They can also redirect legitimate traffic to malicious websites ridden with ads, can trick users into sharing login credentials, and more.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/7NLZKWEKmFLJVAH4nubeaX-970-80.jpg
Source link
