A critical security vulnerability in the User Registration & Membership WordPress plugin is being actively exploited by hackers, putting more than 60,000 websites at risk.
The plugin, developed by WPEverest, is widely used to manage user registrations and memberships. It includes features such as custom registration forms, analytics and payment integrations with PayPal, Stripe and bank transfers.
The vulnerability, tracked as CVE-2026-1492, has received a critical severity score of 9.8. Security experts say the flaw allows attackers to create administrator accounts without authentication because the plugin accepts a user-supplied role during registration.
Administrator-level access provides full control over a website. With this level of access, attackers can install plugins or themes, edit PHP code, change security settings, modify website content and lock out legitimate administrators.
Hackers could also steal sensitive data, including databases containing registered user information, or inject malicious code that spreads malware to website visitors.
Researchers at a cybersecurity firm, which develops a well-known WordPress security plugin, reported blocking more than 200 attempts to exploit CVE-2026-1492 in customer environments within the past 24 hours.
The vulnerability affects all versions of the User Registration & Membership plugin up to version 5.1.2. The developer has released a patch in version 5.1.3 and website administrators are advised to update to the latest available version, 5.1.4, which was released last week.
If immediate updates are not possible, security experts recommend temporarily disabling or uninstalling the plugin to prevent potential attacks.
According to security data, CVE-2026-1492 is the most severe vulnerability discovered in this plugin in 2026.
WordPress websites continue to be frequent targets for cybercriminals. Attackers often use compromised sites for malware distribution, phishing campaigns, command-and-control servers, proxying malicious traffic, or storing stolen data.
Earlier in January 2026, hackers exploited another critical vulnerability, CVE-2026-23550, in the Modular DS WordPress plugin, which allowed attackers to bypass authentication remotely and gain administrator-level access to vulnerable websites.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
