WordPress Security Alert: Critical Privilege Escalation Flaw in Popular Membership Plugin

A massive security hole has been discovered in the User Registration & Membership plugin for WordPress, a popular tool used by over 60,000 websites to manage tiered subscription plans and custom login forms. The vulnerability, tracked as CVE-2026-1492, carries a near-maximum CVSS score of 9.8, marking it as a critical threat to the WordPress ecosystem.

The plugin is a comprehensive “all-in-one” solution for site owners, offering everything from drag-and-drop registration builders to built-in payment systems. However, a fundamental failure in how it handles new user roles has left the door wide open for attackers.

The core of the vulnerability lies in improper privilege management during the membership registration process. When a new user signs up, the plugin allows the registration request to include a specific user role.

In all versions up to and including 5.1.2, the plugin fails to enforce a server-side “allowlist” for these roles. Instead of the server deciding what role a new member should have (such as “Subscriber”), it blindly accepts whatever role is supplied in the registration data.

An unauthenticated attacker can simply “ask” to be an administrator by supplying the administrator role value during a standard membership signup. Because this happens during the initial registration, no existing account or special permissions are required to execute the attack.

A successful exploit gives an attacker full administrative control over the affected WordPress site. Once an admin account is created, the attacker can:

• Access and steal sensitive user and payment data.
• Modify, delete, or hold site content for ransom.
• Install malicious backdoors or use the site to launch further attacks on visitors.

The massive install base of 60,000+ sites makes this an attractive target for automated “bot” campaigns looking to compromise high-traffic membership platforms.

The developers have released an urgent patch to address this role-handling logic. Users must update to version 5.1.3 or later to block this attack vector.