CVE-2026-1492

Critical

Published: 03 March 2026

Published

03 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2336 96.0th percentile

Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Description

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due…

to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the vulnerability by requiring server-side validation of user-supplied role inputs against an allowlist during membership registration.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations, preventing the assignment of unauthorized privileged roles such as administrator during self-registration.

AC-2 Account Management good match

prevent

Establishes account management procedures including privilege validation and approval for new account creation, blocking improper privilege escalation via registration.

Security SummaryAI

CVE-2026-1492 is an improper privilege management vulnerability (CWE-269) affecting the User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress in all versions up to and including 5.1.2. The issue stems from the plugin accepting a user-supplied role during membership registration without enforcing a server-side allowlist, enabling attackers to bypass intended role restrictions. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying an arbitrary role value, such as "administrator," during the membership registration process, attackers can create fully privileged administrator accounts on the target WordPress site, granting them complete control over the site’s content, users, and configuration.

Advisories reference a patch in WordPress plugin trac changeset 3469042 for the user-registration plugin, which likely addresses the server-side validation deficiency. Additional details are available in Wordfence threat intelligence at the provided vulnerability ID page, recommending immediate updates to mitigate exposure.

Details

CWE(s): CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables arbitrary account creation with administrator privileges, directly facilitating T1190 (Exploit Public-Facing Application) and T1136 (Create Account).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/changeset/3469042/user-registration
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e9fec92-f471-4ce9-9138-1c58ad658da2?source=cve
security@wordfence.com