Blog Details

Hackers are exploiting a basic vulnerability in the User Registration & Membership plugin, which is installed on bigger than 60,000 WordPress web sites.

Developed by WPEverest, the plugin presents membership and user registration administration facets, including custom kinds, fee integrations with PayPal and Stripe, monetary institution transfers, and analytics.

The protection vulnerability is tracked as CVE-2026-1492 and obtained a basic severity rating of 9.8. Since the plugin accepts a user-supplied feature one day of membership registration, hackers can carry out administrator accounts with out authentication.

An administrator story has stout get entry to on the online pages, and it is required to set up plugins and subject issues, edit PHP code, alternate security settings, alter map pronounce material, and lock out unswerving house owners or admins.

An attacker with this level of get entry to can take knowledge, similar to the database of registered users, and embed malicious code to distribute malware to visitors.

Researchers at WordPress security company Defiant, the maker of the Wordfence security plugin, blocked bigger than 200 attempts to use CVE-2026-1492 in buyer environments in the previous 24 hours.

The vulnerability impacts all variations of User Registration & Membership thru 5.1.2. The developer launched a repair in model 5.1.3 of the plugin. Net pronounce material admins are suggested to interchange to basically the most modern model of the plugin, which is currently 5.1.4, launched final week.

If updating is never any longer doable, the recommendation is to hasty disable or uninstall the plugin.

In accordance to Wordfence knowledge, CVE-2026-1492 is largely the most severe vulnerability in the User Registration & Membership plugin disclosed this year.

Hackers are consistently concentrated on WordPress web sites for malicious actions that encompass malware distribution, phishing, web hosting remark-and-administration servers, proxy malicious web page online visitors, or to retailer stolen knowledge.

In January 2026, hackers started exploiting a most-severity flaw (CVE-2026-23550) in the Modular DS WordPress plugin, allowing them to avoid authentication remotely and get entry to inclined web sites with admin-level privileges.