CVE-2026-1492

Name of the Vulnerable Software and Affected Versions User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin versions prior to 5.1.3

Description The plugin is subject to improper privilege management. This occurs because the software accepts a user-supplied role during membership registration without properly enforcing a server-side allowlist, allowing unauthenticated attackers to create administrator accounts. Over 60,000 devices worldwide are potentially affected. Real-world incidents have been reported, with hundreds of exploitation attempts blocked within a single day. Attackers can achieve this by sending requests to the 'admin-ajax.php' endpoint and supplying a privileged value to the role parameter.

Recommendations Update to version 5.1.3 or newer. As a temporary workaround, disable or uninstall the plugin to prevent unauthorized access.