Keypoints
- CVE-2026-1492 allows unauthenticated users to gain administrator privileges by submitting a user-controlled role during registration.
- The vulnerable plugin is WPEverestβs User Registration & Membership, installed on over 60,000 WordPress sites.
- All plugin versions through 5.1.2 are affected; fixes were released in 5.1.3 and the current version is 5.1.4.
- An attacker with admin access can steal databases, embed malicious code, install plugins/themes, and lock out legitimate admins.
- If immediate updating is not possible, administrators should disable or uninstall the plugin; Wordfence has already blocked numerous exploit attempts.