WordPress Plugin Flaw Lets Attackers Create Admin Accounts

A vulnerability in a popular WordPress membership plugin could allow attackers to create administrator accounts and completely take over affected websites. 

The flaw affects the User Registration & Membership plugin and enables unauthenticated attackers to bypass security controls during the account registration process. 

This vulnerability allows “… unauthenticated attackers to create administrator accounts by supplying a role value during membership registration,” reported Wordfence in their advisory.

Inside the WordPress Privilege Escalation Flaw

The User Registration & Membership plugin is used by WordPress administrators to create custom registration forms, manage user accounts, and support membership sites such as online communities, learning platforms, and subscription services. 

Because the plugin directly manages user authentication and account creation, it plays a critical role in controlling who can access a website and what permissions they receive.  

The flaw, tracked as CVE-2026-1492, affects all versions of the plugin up to and including version 5.1.2. 

This vulnerability originates from an improper privilege management issue in the plugin’s user registration workflow.

How the WordPress Privilege Escalation Flaw Works

Under normal circumstances, WordPress assigns new users a predefined role — such as subscriber or contributor — based on configuration settings established by the site administrator. 

These role assignments are typically enforced through server-side validation to ensure that users cannot grant themselves higher privileges during the registration process.

In vulnerable versions of the plugin, however, the registration system accepts a user-supplied role parameter without properly validating whether the requested role is permitted. 

Because the plugin fails to enforce a server-side allowlist of acceptable roles, an attacker can manipulate the registration request and specify a higher-privileged role — such as administrator — when creating a new account.

What Attackers Can Do With Admin Access

If the manipulated request is processed successfully, the plugin may create a new account with full administrative privileges. 

Administrative access effectively gives an attacker complete control over the WordPress environment, including the ability to manage users, install or modify plugins, and alter core website settings.

With administrator privileges, attackers can modify site content, steal sensitive data, install malicious plugins or scripts, inject malware, and create persistent backdoors for continued access. 

Compounding the risk, version 5.1.2 of the plugin has also been linked to another vulnerability, tracked as CVE-2026-1779, which may allow attackers to bypass authentication mechanisms under certain conditions. 

Wordfence has released a patch for the issue and is reporting active exploitation in the wild.

How to Reduce Risk From WordPress Plugin Flaws

Website administrators should secure their WordPress environments, as vulnerabilities in plugins that manage user registration and authentication can allow unauthorized privilege escalation if left unpatched.

• Patch to the latest version to protect against threat actors assigning elevated roles during account registration.
• Conduct a full audit of WordPress user accounts and remove any unauthorized administrator profiles while resetting credentials for privileged accounts.
• Monitor registration endpoints and authentication logs for suspicious activity, including abnormal spikes in new registrations or attempts to submit elevated role requests.
• Deploy a web application firewall and enable rate limiting or bot protection to detect and block automated exploitation attempts.
• Restrict administrative access by implementing MFA, strong password policies, and IP allowlisting or zero trust access controls for the WordPress admin interface.
• Maintain strong plugin and application security hygiene by removing unused plugins, applying updates promptly, and conducting regular vulnerability scans of the web environment.
• Regularly test incident response plans and website recovery procedures to ensure rapid containment and remediation if unauthorized administrator accounts are created.

Together, these measures help limit the blast radius of potential account compromise while strengthening overall resilience across WordPress environments. 

Popular WordPress Plugins Attract Attackers

The vulnerability underscores the risks associated with widely used plugins that manage core website functions such as user authentication and account management. 

Because WordPress is deployed across a large number of websites, flaws in popular plugins can attract automated scanning and exploitation attempts once they are publicly disclosed.

This type of risk leads organizations to adopt zero trust solutions, which continuously verify access.