CVE Watch · Last verified 2026-05-15

WordPress User Registration plugin — CVE-2026-1492

A single POST request can make an attacker the administrator of your WordPress site. No password. No clicks. Public exploit scripts are circulating. Initial Access Brokers are already reselling admin access on underground forums. Rwanda's National Cyber Security Authority issued a national alert. Verify in 3 minutes using your own WP Admin — no credentials shared.

Run the 3-minute self-check See the 4 help paths

Verified facts (sources at the bottom)

CVE-2026-1492 — authentication bypass in the WordPress User Registration & Membership plugin. CVSS v4 9.8 (Critical). Source: NVD, Cyfirma, GBHackers, CyberSecurityNews.
Affected versions: all plugin releases ≤ 5.1.2. Fixed in 5.1.3.
Weakness: CWE-269 — Improper Privilege Management.
Attack vector: attacker reads nonce values exposed in the plugin's public JavaScript on your membership page, then sends a single crafted POST request to /wp-admin/admin-ajax.php. The backend processes the request without verifying the sender is authorised, and assigns administrator privileges during registration.
Exploitation status: public exploit scripts are circulating; Initial Access Brokers are reselling admin access on underground forums.
Government advisory: Rwanda's National Cyber Security Authority issued a formal advisory.
Affected sectors: e-commerce, education, media — globally deployed.

Who should care?

Anyone whose WordPress site uses the User Registration & Membership plugin (also published under the slug user-registration) at any version ≤ 5.1.2. If you don't use this plugin, this CVE does not affect you, but the same self-check structure applies to other plugin CVEs disclosed every week — Wordfence's threat intelligence feed lists about 600 new WordPress plugin CVEs per year.

3-minute self-check

Step 1: Confirm whether the plugin is installed

From WordPress admin: Plugins → Installed Plugins → search for "User Registration". If you see User Registration & Membership, continue to Step 2. If not, you are not affected by this CVE.

Step 2: Confirm the version

On the same Plugins page, the version is shown directly under the plugin name. If it is 5.1.3 or higher, you are patched. If it is 5.1.2 or lower, continue to Step 3 immediately.

Step 3: Look for indicators of compromise

Six signs that an attacker may already have used CVE-2026-1492 against your site:

Hidden administrators. WP Admin → Users → filter by Role: Administrator. Note any account you do not recognise (especially with gibberish usernames or generic email addresses).
Recently created users with elevated roles. Sort the Users list by registration date. New Administrators created without your knowledge are the most direct indicator.
Modified wp_options values. If siteurl or home have been changed without your action, treat as compromised.
Unexpected files in /wp-content/uploads/. Look for .php files (uploads should normally be media). PHP files in uploads are classic webshells.
Modified .htaccess. Check the modification time on .htaccess. If it is newer than your last legitimate change, review the file contents.
Plugin file integrity. Run wp plugin verify-checksums --all via WP-CLI, or use Wordfence Free → Scan to identify modified plugin files.

Step 4: Apply the upgrade

WordPress admin → Plugins → User Registration & Membership → Update Now. After the update completes, verify the version number reads 5.1.3 or higher. The upgrade does not normally break checkout or membership flows on production, but if you have heavy customisations on the registration form, test on staging first.

Step 5: When you should bring in help

Red flags that mean "do not keep using this site until cleaned":

Unknown administrator accounts you cannot trace
Modified plugin or theme files you did not edit
Visitors reporting redirects to phishing or malware pages
Sudden traffic anomalies in your access logs
Customer reports of strange behaviour at checkout or login
Google Search Console security warning on your domain

Free resources

3-minute self-check guide — plugin version check, hidden admin scan, IOC indicators, upgrade steps
Open-source checker — WP-CLI script: plugin version, hidden admins, suspicious uploads, .htaccess integrity
Website Security Scorecard — quick public-surface grade for your WordPress URL

Need help fixing this vulnerability?

Professional remediation by the same team that tracks these threats.

$49 Quick Patch Call 30-min screenshare, we patch together

$99 Compromise Check IOC scan + backdoor hunt + report

$199 Full Security Audit Plugin audit + hardening + written report

$299–$999 Incident Response Full cleanup, forensics, and recovery

Request CVE repair

Want CVE alerts in your inbox?

Ping7 runs a public CVE early-warning radar that filters NVD and CISA KEV for vulnerabilities relevant to WordPress, web hosting, and the rest of the small-site stack. One email per Critical CVE that affects WordPress sites. No spam, no partner sales.

Subscribe (or just bookmark this page)

References

Ping7 is not affiliated with Automattic Inc., the WordPress Foundation, or any plugin author. All trademarks belong to their owners. This page references public CVE data only and does not include proof-of-concept code, exploitation steps, or any information that goes beyond public advisories.