WordPress Membership Plugin Flaws Enable Administrator Account Takeover
Multiple high-severity flaws in popular WordPress membership plugins can let attackers create administrator accounts and fully compromise affected sites. In the User Registration & Membership plugin, CVE-2026-1492 affects versions through 5.1.2 and allows unauthenticated attackers to bypass authentication by abusing exposed nonce values, weak server-side validation, and legitimate AJAX functionality in membership workflows, including requests to admin-ajax.php. Researchers said successful exploitation can lead to malicious plugin installation, persistence, data theft, site defacement, and potential remote code execution; the issue is fixed in version 5.1.3, and public exploit code is available.
A separate cluster of vulnerabilities affects WishList Member through version 3.30.1, where several missing authorization checks let Subscriber-level or higher users escalate privileges. CVE-2026-6895 and CVE-2026-6419 can expose the plugin's REST API Secret Key through AJAX actions, while CVE-2026-6898 and CVE-2026-6897 allow authenticated users to generate or modify that key and other plugin settings. With the API key, an attacker can create a membership level mapped to the WordPress administrator role, register a new admin account, and take over the site, extending a pattern of recurring authentication-bypass and privilege-escalation weaknesses previously seen in related membership plugin codebases.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Multiple WishList Member privilege-escalation CVEs disclosed
Four high-severity vulnerabilities affecting WishList Member for WordPress up to version 3.30.1 were disclosed, all enabling Subscriber-level users to obtain or modify the plugin's REST API Secret Key and escalate privileges to administrator. The issues involved the wlm3_export_settings, wlm3_get_screen, wlm3_generate_api_key, and wishlistmember_team_accounts_save_settings AJAX actions.
CYFIRMA details exploitation paths and underground interest in CVE-2026-1492
CYFIRMA published technical analysis of CVE-2026-1492, describing direct role manipulation during registration and abuse of /wp-admin/admin-ajax.php membership workflows. The report also noted public exploit availability and observed underground interest in the vulnerability.
User Registration & Membership flaw fixed in version 5.1.3
The vendor addressed CVE-2026-1492 by releasing version 5.1.3 of the User Registration & Membership plugin. The fix remediated the server-side validation and authorization weaknesses enabling admin account creation and site compromise.
CVE-2026-1492 published for User Registration & Membership plugin
A critical authentication bypass and privilege escalation flaw affecting the WordPress User Registration & Membership plugin up to version 5.1.2 was published. The issue allowed unauthenticated attackers to abuse AJAX membership workflows and potentially gain administrator access.
Public exploit repository appears for User Registration & Membership flaw
A GitHub repository for CVE-2025-2594 describing an authentication bypass in the WordPress User Registration & Membership plugin was published, indicating public exploit or proof-of-concept availability for that earlier issue.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CVE-2026-6895 - Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_export_settings' AJAX Action
cvefeed.io
Open sourceCVE-2026-6419 - Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_get_screen' AJAX action
cvefeed.io
Open sourceCVE-2026-6898 - WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action
cvefeed.io
Open sourceCVE-2026-6897 - Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Update via 'wishlistmember_team_accounts_save_settings' AJAX action
cvefeed.io
Open sourceCVE-2026-1492 WordPress User Registration & Membership Authentication Bypass Flaw - CYFIRMA
cyfirma.com
Open sourceGitHub - ubaydev/CVE-2025-2594: User Registration & Membership <= 4.1.2 - Authentication Bypass · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of CVE-2026-1492 in WordPress User Registration & Membership Plugin Enables Admin Account Creation
Active exploitation has been reported against **CVE-2026-1492** in the *User Registration & Membership* WordPress plugin (WPEverest), allowing **unauthenticated privilege escalation** by submitting a user-controlled role value during membership registration. The flaw affects versions **through 5.1.2** and enables attackers to create **administrator** accounts, which can then be used to install plugins/themes, modify PHP code and security settings, exfiltrate site/user data, and potentially implant malware or backdoors. Wordfence/Defiant telemetry cited in reporting indicates exploitation attempts were observed and blocked at scale in customer environments. A fix was released in **5.1.3** (with **5.1.4** available), and the recommended mitigation is to **update immediately** or temporarily disable/uninstall the plugin if patching is not possible. Other WordPress plugin CVEs in the provided material—**CVE-2026-1321** (*Restrict Content* unauth privilege escalation via `rcp_level`), **CVE-2026-1720** (*WowOptin* missing authorization enabling Subscriber+ arbitrary plugin installation), and **CVE-2026-2628** (*All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login* authentication bypass)—are separate issues and should be tracked independently, as they do not describe the same exploited vulnerability affecting *User Registration & Membership* (CVE-2026-1492).
Apr 13, 2026
WordPress Plugin Flaws Enable Account Takeover and Possible RCE
Multiple high-severity flaws in WordPress plugins exposed sites to account takeover and, in one case, possible remote code execution. In **Users Manager PN**, tracked as `CVE-2026-4003`, a missing authorization check in the `userspn_ajax_nopriv_server()` handler let unauthenticated attackers overwrite arbitrary user metadata through the `userspn_form_save` AJAX action. Because the required `userspn-nonce` was reportedly exposed on public pages, attackers could abuse the bug with a single crafted request to modify profiles and potentially seize control of administrator accounts. The issue affected versions through `1.1.15` and was reportedly fixed in `1.1.20`. Two additional vulnerabilities were disclosed in **WP Captcha PRO** affecting versions through `5.38`. `CVE-2026-5415` allowed **Subscriber-level users or higher** to generate temporary login links for arbitrary accounts because the `ajax_run_tool()` AJAX handler checked only a nonce and not user capabilities, enabling authentication bypass and administrator takeover. Separately, `CVE-2026-5411` allowed authenticated low-privilege users to upload attacker-controlled files by poisoning license metadata and abusing `sync_cloud_protection()` to download and extract content into a web-accessible uploads directory; if PHP execution was possible and `allow_url_fopen` was enabled for remote retrieval, the flaw could be escalated to **remote code execution** via a webshell.
Jun 12, 2026
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Mar 21, 2026