PT-2026-22718 · WordPress · User Registration & Membership

Friderika Baranyai

·

Published

2026-03-03

·

Updated

2026-04-14

·

CVE-2026-1492

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin versions prior to 5.1.3
Description The plugin is subject to improper privilege management. This occurs because the software accepts a user-supplied role during membership registration without properly enforcing a server-side allowlist, allowing unauthenticated attackers to create administrator accounts. Over 60,000 devices worldwide are potentially affected. Real-world incidents have been reported, with hundreds of exploitation attempts blocked within a single day. Attackers can achieve this by sending requests to the 'admin-ajax.php' endpoint and supplying a privileged value to the role parameter.
Recommendations Update to version 5.1.3 or newer. As a temporary workaround, disable or uninstall the plugin to prevent unauthorized access.

Fix

LPE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-1492

Affected Products

User Registration & Membership