WAFPlanet
Security News

WordPress Plugin Flaw Exploited to Create Admin Accounts, Wordfence Blocks 200+ Attacks

Critical CVE-2026-1492 in WPEverest's User Registration plugin (60K+ sites) lets attackers create admin accounts without authentication. Wordfence blocked 200+ attacks in 24 hours. Patch to 5.1.4 now.

Avatar for Zoutje
3 min read
WordPress Plugin Flaw Exploited to Create Admin Accounts, Wordfence Blocks 200+ Attacks
WordPress Plugin Flaw Exploited to Create Admin Accounts, Wordfence Blocks 200+ Attacks

A critical privilege escalation vulnerability (CVE-2026-1492, CVSS 9.8) in the WordPress "User Registration & Membership" plugin by WPEverest is being actively exploited in the wild. The plugin is installed on over 60,000 WordPress sites.

What happened

The plugin accepts a user-supplied role during membership registration without proper validation. Attackers can register a new account and assign themselves the Administrator role. No authentication required, no password needed. One HTTP request and they own the site.

With admin access, attackers can install malicious plugins, edit PHP code, steal user databases and payment data, distribute malware to visitors, and lock out the legitimate site owner.

Active exploitation

Researchers at Defiant (the company behind Wordfence) reported blocking over 200 exploitation attempts in the past 24 hours alone. Full details are available in Wordfence's threat intelligence advisory. CVE-2026-1492 is the most severe vulnerability disclosed in this plugin this year.

All versions through 5.1.2 are affected. WPEverest released a fix in version 5.1.3, with the current recommended version being 5.1.4. Despite the patch being available since late February, tens of thousands of sites remain unpatched.

What to do

If you run WordPress with the User Registration & Membership plugin:

  • Update immediately to version 5.1.4
  • Check your WordPress dashboard for unknown administrator accounts created in the past two weeks
  • If you cannot update, disable or uninstall the plugin
  • Consider running a WordPress WAF like Wordfence, Sucuri, or NinjaFirewall to block exploitation attempts at the application layer

WAFplanet take

This is exactly the kind of attack a WordPress WAF exists to stop. The vulnerability is trivial to exploit and the payoff is total site takeover. Wordfence blocked 200+ attempts in a single day, which means attackers are already scanning at scale.

The pattern repeats: plugin vulnerability drops, patch ships, most sites don't update for weeks. A WAF buys you time during that gap. If you run WordPress without one, you are relying entirely on every plugin author getting security right and every admin patching promptly. That is not a realistic assumption.

For a full comparison of WordPress WAF options, see our Best WAF for WordPress guide and WordPress Security Guide 2026.

Read the full story at BleepingComputer

Original reporting by BleepingComputer
CVE-2026-1492 on NVD

National Vulnerability Database entry
Official logo for Wordfence Security

Wordfence Security

Featured

The most popular WordPress security plugin with endpoint firewall, malware scanner, and login security protecting over 5 million sites worldwide.

4.4/5 Free tier available
View Wordfence Profile

Tags

security-news wordfence wordpress vulnerability cve

Related Posts

Cloudflare launches stateful API vulnerability scanner

Cloudflare Launches Stateful API Vulnerability Scanner Targeting BOLA Flaws

Mar 11, 2026

NSFOCUS full-chain web security protection system

NSFOCUS Outlines Full-Chain Web Security System Combining WAF and Tamper Protection

Mar 11, 2026

Radware Introduces Alteon Protect to Deliver Scalable Application Security Without Compromise

Radware Launches Alteon Protect: Cloud-Augmented WAF Without SSL Key Sharing

Mar 11, 2026