A critical security vulnerability (CVE-2026-1492) has been discovered in the WordPress User Registration & Membership plugin by WPEverest, which has over 60,000 active installations. The plugin accepts a user supplied role during membership registration, allowing hackers to create administrator accounts without authentication, potentially resulting in full control of affected sites.

Affected Systems:

• WordPress URM plugin: versions 5.1.2 and prior

Security Risks

Successful exploitation of this vulnerability allows attackers to create administrator accounts without authentication through the User Registration & Membership plugin, potentially resulting in full site takeover, unauthorized access, data theft, malware installation, distribution of malware to visitors, or complete lockout of legitimate site owners.

For a complete list of other recently disclosed WordPress plugin vulnerabilities and available patches, please refer to a WordPress vulnerability database.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

• Upgrade, as soon as possible, to the latest supported version to maintain security and continue receiving technical support and patches.

The released software version for upgrade is:

• WordPress URM plugin: Upgrade to version 5.1.3 or above (latest is 5.1.4)

• Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• https://www.wordfence.com/

• https://www.scworld.com/

• https://nvd.nist.gov/vuln/detail/CVE-2026-1492