{"id":12064,"date":"2026-04-13T10:03:37","date_gmt":"2026-04-13T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/13\/critical-wordpress-plugin-flaw-lets-attackers-bypass-authentication-and-gain-admin-access\/"},"modified":"2026-04-13T10:03:37","modified_gmt":"2026-04-13T10:03:37","slug":"critical-wordpress-plugin-flaw-lets-attackers-bypass-authentication-and-gain-admin-access","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/13\/critical-wordpress-plugin-flaw-lets-attackers-bypass-authentication-and-gain-admin-access\/","title":{"rendered":"Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access"},"content":{"rendered":"<p>    Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical security flaw found in a widely used WordPress plugin is putting thousands of websites at serious risk worldwide. <\/p>\n<p>Tracked as CVE-2026-1492, this vulnerability affects the User Registration &amp; Membership plugin for WordPress and lets attackers completely bypass the login process to gain full administrator access \u2014 all without needing a username, password, or any existing account.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d6a29a83-6b17-4515-9ff5-e32e0847cd32\/Critical-WordPress-Plugin-Flaw-Lets-Attackers-Bypass-Authentication-and-Gain-Admin-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEZAWI5WVO&amp;Signature=HsMgVcFUAx7KNe0RTFDnRI3%2FgJ0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC6zI5ID6kV%2FTblFFaMtPLhWDgtaUrCdFoSx1rsbYfSdQIhAMewYTFKJtJv88VaiHmY%2BSWr7qmBGjtokKTRlIhwjIW%2FKvMECHAQARoMNjk5NzUzMzA5NzA1IgzbD%2BB7YJ%2FVP0PI7hoq0AT%2FObLNhf3Hc3A%2FOTlZivLxuHzQahbMDsYkg1EiPvJv%2FJLrpV4%2FVaO2fZttHnag6Nw2wmDABE2rLWvgvRR8Alhz7lYguqvdIaPZ0h1H8QBNV0KJHzeu1wHYeg%2F7BtQ6BfGPGsxYcVYK%2BkuJ8jcqdMPuhH%2FFmhfIMv1%2F7RbvGqbHS514M9gBYLVQfD6LTGW9PfFX0F5T1oB3suNmMNHlPWTQt2DJ2bR3WKaWR86yrBTjcI3Jt14yTjyDlVl8w49zgi%2BtXnv8ZrCJ607m8omegO5Cch8%2BUurC64dxXFt4u0JLjfVBoRe9RYUg2ugLntdRWNcThEpGuHu72nqjK79jFe2opDj%2BxddGsq0n9adyELPdcdujSUUXTs70okp1EsCNMkIR9W3tycTd%2BriE0eHM9e%2BBlwMDlzdg4%2BkXXif89UD540lZHfnPpN8XyA1YjbE%2BZAPcH2HOeFIHHw5rs7ttxEqWEs0ufz0Ir0LTQEcYrWyT%2BHYzq%2FjlKv5tZuafIVd1NNWTg%2Bun4gKDg5VcQhLZBH%2BYchxjS4d99I843kWSr%2FiUebZLpod0x5t8gAm5%2BeA9%2FRM%2BfYcIViy1KokOwaUAo0lk1EBw8fkL%2Bf1e2YNAp%2BLbU3duMxUbL4rlltbTtftslRIoLVwwlSRNBaB461ep20ybve6xnuhGIf9zaukI7VF9HO%2BBYz0Ujpz3YdSaFCLcs6yA74Ydro4lLEd9b680zDY%2BEfh%2FflRW%2BE9WCQVVqe%2F6mPelAVZYxVJPCge1fAQaS6hRwVM4NQp64Pp9igUrwohBMKyc8s4GOpcB7lZSnbpyfg5d1Ew5obYolfzJRUm41Pf3yK4uSz5x5qARVZr8EZ9uiPV2hKMIZg1wl00mznft635rjfA41qQZ%2FFKUEal7Vsp9UbIjJyhKGrphHfYwlfYhCrdbF95AqxYes19oOwPE8ADK2OroVvdTa00OQ%2BLhOakRRnfVi7d1XQYpiDO4hKTRuIQ7QCvmVGsdEDvMaN9OXA%3D%3D&amp;Expires=1776063297\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Published on March 3, 2026, the vulnerability holds a CVSS v4.0 score of 9.8, placing it in the Critical severity category. It affects all versions of the User Registration &amp; Membership plugin up to and including version 5.1.2. <\/p>\n<p>The root cause is improper validation of user-controlled input combined with weak authorization checks inside the plugin\u2019s backend processing logic. <\/p>\n<p>The attack requires no special privileges, no user interaction, and can be carried out remotely over the internet.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d6a29a83-6b17-4515-9ff5-e32e0847cd32\/Critical-WordPress-Plugin-Flaw-Lets-Attackers-Bypass-Authentication-and-Gain-Admin-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEZAWI5WVO&amp;Signature=HsMgVcFUAx7KNe0RTFDnRI3%2FgJ0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC6zI5ID6kV%2FTblFFaMtPLhWDgtaUrCdFoSx1rsbYfSdQIhAMewYTFKJtJv88VaiHmY%2BSWr7qmBGjtokKTRlIhwjIW%2FKvMECHAQARoMNjk5NzUzMzA5NzA1IgzbD%2BB7YJ%2FVP0PI7hoq0AT%2FObLNhf3Hc3A%2FOTlZivLxuHzQahbMDsYkg1EiPvJv%2FJLrpV4%2FVaO2fZttHnag6Nw2wmDABE2rLWvgvRR8Alhz7lYguqvdIaPZ0h1H8QBNV0KJHzeu1wHYeg%2F7BtQ6BfGPGsxYcVYK%2BkuJ8jcqdMPuhH%2FFmhfIMv1%2F7RbvGqbHS514M9gBYLVQfD6LTGW9PfFX0F5T1oB3suNmMNHlPWTQt2DJ2bR3WKaWR86yrBTjcI3Jt14yTjyDlVl8w49zgi%2BtXnv8ZrCJ607m8omegO5Cch8%2BUurC64dxXFt4u0JLjfVBoRe9RYUg2ugLntdRWNcThEpGuHu72nqjK79jFe2opDj%2BxddGsq0n9adyELPdcdujSUUXTs70okp1EsCNMkIR9W3tycTd%2BriE0eHM9e%2BBlwMDlzdg4%2BkXXif89UD540lZHfnPpN8XyA1YjbE%2BZAPcH2HOeFIHHw5rs7ttxEqWEs0ufz0Ir0LTQEcYrWyT%2BHYzq%2FjlKv5tZuafIVd1NNWTg%2Bun4gKDg5VcQhLZBH%2BYchxjS4d99I843kWSr%2FiUebZLpod0x5t8gAm5%2BeA9%2FRM%2BfYcIViy1KokOwaUAo0lk1EBw8fkL%2Bf1e2YNAp%2BLbU3duMxUbL4rlltbTtftslRIoLVwwlSRNBaB461ep20ybve6xnuhGIf9zaukI7VF9HO%2BBYz0Ujpz3YdSaFCLcs6yA74Ydro4lLEd9b680zDY%2BEfh%2FflRW%2BE9WCQVVqe%2F6mPelAVZYxVJPCge1fAQaS6hRwVM4NQp64Pp9igUrwohBMKyc8s4GOpcB7lZSnbpyfg5d1Ew5obYolfzJRUm41Pf3yK4uSz5x5qARVZr8EZ9uiPV2hKMIZg1wl00mznft635rjfA41qQZ%2FFKUEal7Vsp9UbIjJyhKGrphHfYwlfYhCrdbF95AqxYes19oOwPE8ADK2OroVvdTa00OQ%2BLhOakRRnfVi7d1XQYpiDO4hKTRuIQ7QCvmVGsdEDvMaN9OXA%3D%3D&amp;Expires=1776063297\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/www.cyfirma.com\/research\/cve-2026-1492-wordpress-user-registration-membership-authentication-bypass-flaw\/\" id=\"https:\/\/www.cyfirma.com\/research\/cve-2026-1492-wordpress-user-registration-membership-authentication-bypass-flaw\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CYFIRMA researchers identified and analyzed CVE-2026-1492<\/a>, noting that the flaw centers on how the plugin handles trust between its public-facing frontend and internal backend. <\/p>\n<p>Besides this, the CVE-2026-1492 has been marked as \u201cCritical\u201d severity and received CVSS score of 9.8.<\/p>\n<p>The plugin relies on security tokens known as nonces, alongside AJAX-based workflows, to process membership-related requests. <\/p>\n<p>These tokens are embedded in client-side JavaScript on publicly visible pages, making them accessible to anyone \u2014 even users who are not logged in. <\/p>\n<p>By extracting these values, an attacker can craft a malicious request that triggers privileged backend actions and completely bypasses authentication.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d6a29a83-6b17-4515-9ff5-e32e0847cd32\/Critical-WordPress-Plugin-Flaw-Lets-Attackers-Bypass-Authentication-and-Gain-Admin-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEZAWI5WVO&amp;Signature=HsMgVcFUAx7KNe0RTFDnRI3%2FgJ0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC6zI5ID6kV%2FTblFFaMtPLhWDgtaUrCdFoSx1rsbYfSdQIhAMewYTFKJtJv88VaiHmY%2BSWr7qmBGjtokKTRlIhwjIW%2FKvMECHAQARoMNjk5NzUzMzA5NzA1IgzbD%2BB7YJ%2FVP0PI7hoq0AT%2FObLNhf3Hc3A%2FOTlZivLxuHzQahbMDsYkg1EiPvJv%2FJLrpV4%2FVaO2fZttHnag6Nw2wmDABE2rLWvgvRR8Alhz7lYguqvdIaPZ0h1H8QBNV0KJHzeu1wHYeg%2F7BtQ6BfGPGsxYcVYK%2BkuJ8jcqdMPuhH%2FFmhfIMv1%2F7RbvGqbHS514M9gBYLVQfD6LTGW9PfFX0F5T1oB3suNmMNHlPWTQt2DJ2bR3WKaWR86yrBTjcI3Jt14yTjyDlVl8w49zgi%2BtXnv8ZrCJ607m8omegO5Cch8%2BUurC64dxXFt4u0JLjfVBoRe9RYUg2ugLntdRWNcThEpGuHu72nqjK79jFe2opDj%2BxddGsq0n9adyELPdcdujSUUXTs70okp1EsCNMkIR9W3tycTd%2BriE0eHM9e%2BBlwMDlzdg4%2BkXXif89UD540lZHfnPpN8XyA1YjbE%2BZAPcH2HOeFIHHw5rs7ttxEqWEs0ufz0Ir0LTQEcYrWyT%2BHYzq%2FjlKv5tZuafIVd1NNWTg%2Bun4gKDg5VcQhLZBH%2BYchxjS4d99I843kWSr%2FiUebZLpod0x5t8gAm5%2BeA9%2FRM%2BfYcIViy1KokOwaUAo0lk1EBw8fkL%2Bf1e2YNAp%2BLbU3duMxUbL4rlltbTtftslRIoLVwwlSRNBaB461ep20ybve6xnuhGIf9zaukI7VF9HO%2BBYz0Ujpz3YdSaFCLcs6yA74Ydro4lLEd9b680zDY%2BEfh%2FflRW%2BE9WCQVVqe%2F6mPelAVZYxVJPCge1fAQaS6hRwVM4NQp64Pp9igUrwohBMKyc8s4GOpcB7lZSnbpyfg5d1Ew5obYolfzJRUm41Pf3yK4uSz5x5qARVZr8EZ9uiPV2hKMIZg1wl00mznft635rjfA41qQZ%2FFKUEal7Vsp9UbIjJyhKGrphHfYwlfYhCrdbF95AqxYes19oOwPE8ADK2OroVvdTa00OQ%2BLhOakRRnfVi7d1XQYpiDO4hKTRuIQ7QCvmVGsdEDvMaN9OXA%3D%3D&amp;Expires=1776063297\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The consequences of a successful attack are severe. Once the flaw is exploited, the attacker immediately gains full administrative control over the targeted WordPress site. <\/p>\n<p>They can install or modify plugins, access and steal stored user data, <a href=\"https:\/\/cybersecuritynews.com\/accessibe-review-examining-its-role-in-website-accessibility\/\" id=\"86517\" target=\"_blank\" rel=\"noreferrer noopener\">alter website content<\/a>, create hidden admin accounts, and plant backdoors for persistent future access. <\/p>\n<p>A compromised site can also be turned into a platform for redirecting visitors to phishing pages or malware delivery sites, putting the site\u2019s own users at direct risk.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d6a29a83-6b17-4515-9ff5-e32e0847cd32\/Critical-WordPress-Plugin-Flaw-Lets-Attackers-Bypass-Authentication-and-Gain-Admin-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEZAWI5WVO&amp;Signature=HsMgVcFUAx7KNe0RTFDnRI3%2FgJ0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC6zI5ID6kV%2FTblFFaMtPLhWDgtaUrCdFoSx1rsbYfSdQIhAMewYTFKJtJv88VaiHmY%2BSWr7qmBGjtokKTRlIhwjIW%2FKvMECHAQARoMNjk5NzUzMzA5NzA1IgzbD%2BB7YJ%2FVP0PI7hoq0AT%2FObLNhf3Hc3A%2FOTlZivLxuHzQahbMDsYkg1EiPvJv%2FJLrpV4%2FVaO2fZttHnag6Nw2wmDABE2rLWvgvRR8Alhz7lYguqvdIaPZ0h1H8QBNV0KJHzeu1wHYeg%2F7BtQ6BfGPGsxYcVYK%2BkuJ8jcqdMPuhH%2FFmhfIMv1%2F7RbvGqbHS514M9gBYLVQfD6LTGW9PfFX0F5T1oB3suNmMNHlPWTQt2DJ2bR3WKaWR86yrBTjcI3Jt14yTjyDlVl8w49zgi%2BtXnv8ZrCJ607m8omegO5Cch8%2BUurC64dxXFt4u0JLjfVBoRe9RYUg2ugLntdRWNcThEpGuHu72nqjK79jFe2opDj%2BxddGsq0n9adyELPdcdujSUUXTs70okp1EsCNMkIR9W3tycTd%2BriE0eHM9e%2BBlwMDlzdg4%2BkXXif89UD540lZHfnPpN8XyA1YjbE%2BZAPcH2HOeFIHHw5rs7ttxEqWEs0ufz0Ir0LTQEcYrWyT%2BHYzq%2FjlKv5tZuafIVd1NNWTg%2Bun4gKDg5VcQhLZBH%2BYchxjS4d99I843kWSr%2FiUebZLpod0x5t8gAm5%2BeA9%2FRM%2BfYcIViy1KokOwaUAo0lk1EBw8fkL%2Bf1e2YNAp%2BLbU3duMxUbL4rlltbTtftslRIoLVwwlSRNBaB461ep20ybve6xnuhGIf9zaukI7VF9HO%2BBYz0Ujpz3YdSaFCLcs6yA74Ydro4lLEd9b680zDY%2BEfh%2FflRW%2BE9WCQVVqe%2F6mPelAVZYxVJPCge1fAQaS6hRwVM4NQp64Pp9igUrwohBMKyc8s4GOpcB7lZSnbpyfg5d1Ew5obYolfzJRUm41Pf3yK4uSz5x5qARVZr8EZ9uiPV2hKMIZg1wl00mznft635rjfA41qQZ%2FFKUEal7Vsp9UbIjJyhKGrphHfYwlfYhCrdbF95AqxYes19oOwPE8ADK2OroVvdTa00OQ%2BLhOakRRnfVi7d1XQYpiDO4hKTRuIQ7QCvmVGsdEDvMaN9OXA%3D%3D&amp;Expires=1776063297\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Activity on underground forums shows that threat actors are already discussing and sharing techniques to exploit this vulnerability. <\/p>\n<p>Initial Access Brokers may use it to gain admin access and resell entry points for downstream criminal activities such as ransomware deployment, credential theft, and <a href=\"https:\/\/cybersecuritynews.com\/ai-generated-content-seo\/\" id=\"105496\" target=\"_blank\" rel=\"noreferrer noopener\">SEO spam<\/a> operations. <\/p>\n<p>This level of active interest confirms that the threat is real and immediate attention from site administrators is critical.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d6a29a83-6b17-4515-9ff5-e32e0847cd32\/Critical-WordPress-Plugin-Flaw-Lets-Attackers-Bypass-Authentication-and-Gain-Admin-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEZAWI5WVO&amp;Signature=HsMgVcFUAx7KNe0RTFDnRI3%2FgJ0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC6zI5ID6kV%2FTblFFaMtPLhWDgtaUrCdFoSx1rsbYfSdQIhAMewYTFKJtJv88VaiHmY%2BSWr7qmBGjtokKTRlIhwjIW%2FKvMECHAQARoMNjk5NzUzMzA5NzA1IgzbD%2BB7YJ%2FVP0PI7hoq0AT%2FObLNhf3Hc3A%2FOTlZivLxuHzQahbMDsYkg1EiPvJv%2FJLrpV4%2FVaO2fZttHnag6Nw2wmDABE2rLWvgvRR8Alhz7lYguqvdIaPZ0h1H8QBNV0KJHzeu1wHYeg%2F7BtQ6BfGPGsxYcVYK%2BkuJ8jcqdMPuhH%2FFmhfIMv1%2F7RbvGqbHS514M9gBYLVQfD6LTGW9PfFX0F5T1oB3suNmMNHlPWTQt2DJ2bR3WKaWR86yrBTjcI3Jt14yTjyDlVl8w49zgi%2BtXnv8ZrCJ607m8omegO5Cch8%2BUurC64dxXFt4u0JLjfVBoRe9RYUg2ugLntdRWNcThEpGuHu72nqjK79jFe2opDj%2BxddGsq0n9adyELPdcdujSUUXTs70okp1EsCNMkIR9W3tycTd%2BriE0eHM9e%2BBlwMDlzdg4%2BkXXif89UD540lZHfnPpN8XyA1YjbE%2BZAPcH2HOeFIHHw5rs7ttxEqWEs0ufz0Ir0LTQEcYrWyT%2BHYzq%2FjlKv5tZuafIVd1NNWTg%2Bun4gKDg5VcQhLZBH%2BYchxjS4d99I843kWSr%2FiUebZLpod0x5t8gAm5%2BeA9%2FRM%2BfYcIViy1KokOwaUAo0lk1EBw8fkL%2Bf1e2YNAp%2BLbU3duMxUbL4rlltbTtftslRIoLVwwlSRNBaB461ep20ybve6xnuhGIf9zaukI7VF9HO%2BBYz0Ujpz3YdSaFCLcs6yA74Ydro4lLEd9b680zDY%2BEfh%2FflRW%2BE9WCQVVqe%2F6mPelAVZYxVJPCge1fAQaS6hRwVM4NQp64Pp9igUrwohBMKyc8s4GOpcB7lZSnbpyfg5d1Ew5obYolfzJRUm41Pf3yK4uSz5x5qARVZr8EZ9uiPV2hKMIZg1wl00mznft635rjfA41qQZ%2FFKUEal7Vsp9UbIjJyhKGrphHfYwlfYhCrdbF95AqxYes19oOwPE8ADK2OroVvdTa00OQ%2BLhOakRRnfVi7d1XQYpiDO4hKTRuIQ7QCvmVGsdEDvMaN9OXA%3D%3D&amp;Expires=1776063297\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"inside-the-exploitation-workflow\"><strong>Inside the Exploitation Workflow<\/strong><\/h2>\n<p>The attack begins in a controlled environment where the vulnerable plugin is confirmed to be installed and running. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZQmB7krXFt6wMBNRz2H8dO1XrWRgvdbvq5tKUbWDCSvb71rn6emeKx6gkU_CCEmPiZWMgJxxARd1tInSDNLKw2UAZHOIbcJLtHMueYyZ_cniHvAuw0W8MZ19bQgXacPlBc2JzPyYIeMdYChgdic2sc1VG5XR6uh7VCLv8sOffCwHGpQBSkNNWnOehzMg\/s16000\/Terminal%2520showing%2520Apache%2520and%2520MariaDB%2520status%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\" alt=\"Terminal showing Apache and MariaDB status (Source - Cyfirma)\"><figcaption class=\"wp-element-caption\">Terminal showing Apache and MariaDB status (Source \u2013 Cyfirma)<\/figcaption><\/figure>\n<\/div>\n<p>The attacker prepares the test setup before approaching the target. The publicly accessible membership pricing page is then identified as the main entry point into the site\u2019s backend systems.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d6a29a83-6b17-4515-9ff5-e32e0847cd32\/Critical-WordPress-Plugin-Flaw-Lets-Attackers-Bypass-Authentication-and-Gain-Admin-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEZAWI5WVO&amp;Signature=HsMgVcFUAx7KNe0RTFDnRI3%2FgJ0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC6zI5ID6kV%2FTblFFaMtPLhWDgtaUrCdFoSx1rsbYfSdQIhAMewYTFKJtJv88VaiHmY%2BSWr7qmBGjtokKTRlIhwjIW%2FKvMECHAQARoMNjk5NzUzMzA5NzA1IgzbD%2BB7YJ%2FVP0PI7hoq0AT%2FObLNhf3Hc3A%2FOTlZivLxuHzQahbMDsYkg1EiPvJv%2FJLrpV4%2FVaO2fZttHnag6Nw2wmDABE2rLWvgvRR8Alhz7lYguqvdIaPZ0h1H8QBNV0KJHzeu1wHYeg%2F7BtQ6BfGPGsxYcVYK%2BkuJ8jcqdMPuhH%2FFmhfIMv1%2F7RbvGqbHS514M9gBYLVQfD6LTGW9PfFX0F5T1oB3suNmMNHlPWTQt2DJ2bR3WKaWR86yrBTjcI3Jt14yTjyDlVl8w49zgi%2BtXnv8ZrCJ607m8omegO5Cch8%2BUurC64dxXFt4u0JLjfVBoRe9RYUg2ugLntdRWNcThEpGuHu72nqjK79jFe2opDj%2BxddGsq0n9adyELPdcdujSUUXTs70okp1EsCNMkIR9W3tycTd%2BriE0eHM9e%2BBlwMDlzdg4%2BkXXif89UD540lZHfnPpN8XyA1YjbE%2BZAPcH2HOeFIHHw5rs7ttxEqWEs0ufz0Ir0LTQEcYrWyT%2BHYzq%2FjlKv5tZuafIVd1NNWTg%2Bun4gKDg5VcQhLZBH%2BYchxjS4d99I843kWSr%2FiUebZLpod0x5t8gAm5%2BeA9%2FRM%2BfYcIViy1KokOwaUAo0lk1EBw8fkL%2Bf1e2YNAp%2BLbU3duMxUbL4rlltbTtftslRIoLVwwlSRNBaB461ep20ybve6xnuhGIf9zaukI7VF9HO%2BBYz0Ujpz3YdSaFCLcs6yA74Ydro4lLEd9b680zDY%2BEfh%2FflRW%2BE9WCQVVqe%2F6mPelAVZYxVJPCge1fAQaS6hRwVM4NQp64Pp9igUrwohBMKyc8s4GOpcB7lZSnbpyfg5d1Ew5obYolfzJRUm41Pf3yK4uSz5x5qARVZr8EZ9uiPV2hKMIZg1wl00mznft635rjfA41qQZ%2FFKUEal7Vsp9UbIjJyhKGrphHfYwlfYhCrdbF95AqxYes19oOwPE8ADK2OroVvdTa00OQ%2BLhOakRRnfVi7d1XQYpiDO4hKTRuIQ7QCvmVGsdEDvMaN9OXA%3D%3D&amp;Expires=1776063297\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Using the browser\u2019s developer tools, the attacker inspects the JavaScript on the membership page. This reveals nonce values and AJAX endpoint details that should never have been publicly accessible. <\/p>\n<p>With these values in hand, a crafted payload is sent to the\u00a0<code>\/wp-admin\/admin-ajax.php<\/code>\u00a0endpoint. The backend processes the request without checking whether the sender is authorized. <\/p>\n<p>The server then logs the attacker in and redirects the session to the WordPress admin dashboard, without a single valid credential used.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgBe-OAOhw1pI3eFR2kOGOy_wgIamPOmG66h7Q6NCqBs0QmHVsoxGzQd2_i81S8TqXlImCDSx9Hz-P0h40NjVKU4Ou_Wg__KG5xtz-qr9SQRCI179HZ-Cz-w_LiX8GcvC4ZlZwWIOl-jMj5Gr-Wya3zwJoKyW6GcD9jeB1KT5DdBb9BTd3xU5JwN98qX3g\/s16000\/WordPress%2520Dashboard%2520showing%2520successful%2520login%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\" alt=\"WordPress Dashboard showing successful login (Source - Cyfirma)\"><figcaption class=\"wp-element-caption\">WordPress Dashboard showing successful login (Source \u2013 Cyfirma)<\/figcaption><\/figure>\n<\/div>\n<p>The most important action is to immediately update the User Registration &amp; Membership plugin to version 5.1.3, where the vulnerability has been fixed. <\/p>\n<p>After patching, all administrator accounts should be reviewed, and any accounts created without proper authorization must be removed. Sessions tied to suspicious accounts should be invalidated, and unknown credentials reset right away.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d6a29a83-6b17-4515-9ff5-e32e0847cd32\/Critical-WordPress-Plugin-Flaw-Lets-Attackers-Bypass-Authentication-and-Gain-Admin-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEZAWI5WVO&amp;Signature=HsMgVcFUAx7KNe0RTFDnRI3%2FgJ0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC6zI5ID6kV%2FTblFFaMtPLhWDgtaUrCdFoSx1rsbYfSdQIhAMewYTFKJtJv88VaiHmY%2BSWr7qmBGjtokKTRlIhwjIW%2FKvMECHAQARoMNjk5NzUzMzA5NzA1IgzbD%2BB7YJ%2FVP0PI7hoq0AT%2FObLNhf3Hc3A%2FOTlZivLxuHzQahbMDsYkg1EiPvJv%2FJLrpV4%2FVaO2fZttHnag6Nw2wmDABE2rLWvgvRR8Alhz7lYguqvdIaPZ0h1H8QBNV0KJHzeu1wHYeg%2F7BtQ6BfGPGsxYcVYK%2BkuJ8jcqdMPuhH%2FFmhfIMv1%2F7RbvGqbHS514M9gBYLVQfD6LTGW9PfFX0F5T1oB3suNmMNHlPWTQt2DJ2bR3WKaWR86yrBTjcI3Jt14yTjyDlVl8w49zgi%2BtXnv8ZrCJ607m8omegO5Cch8%2BUurC64dxXFt4u0JLjfVBoRe9RYUg2ugLntdRWNcThEpGuHu72nqjK79jFe2opDj%2BxddGsq0n9adyELPdcdujSUUXTs70okp1EsCNMkIR9W3tycTd%2BriE0eHM9e%2BBlwMDlzdg4%2BkXXif89UD540lZHfnPpN8XyA1YjbE%2BZAPcH2HOeFIHHw5rs7ttxEqWEs0ufz0Ir0LTQEcYrWyT%2BHYzq%2FjlKv5tZuafIVd1NNWTg%2Bun4gKDg5VcQhLZBH%2BYchxjS4d99I843kWSr%2FiUebZLpod0x5t8gAm5%2BeA9%2FRM%2BfYcIViy1KokOwaUAo0lk1EBw8fkL%2Bf1e2YNAp%2BLbU3duMxUbL4rlltbTtftslRIoLVwwlSRNBaB461ep20ybve6xnuhGIf9zaukI7VF9HO%2BBYz0Ujpz3YdSaFCLcs6yA74Ydro4lLEd9b680zDY%2BEfh%2FflRW%2BE9WCQVVqe%2F6mPelAVZYxVJPCge1fAQaS6hRwVM4NQp64Pp9igUrwohBMKyc8s4GOpcB7lZSnbpyfg5d1Ew5obYolfzJRUm41Pf3yK4uSz5x5qARVZr8EZ9uiPV2hKMIZg1wl00mznft635rjfA41qQZ%2FFKUEal7Vsp9UbIjJyhKGrphHfYwlfYhCrdbF95AqxYes19oOwPE8ADK2OroVvdTa00OQ%2BLhOakRRnfVi7d1XQYpiDO4hKTRuIQ7QCvmVGsdEDvMaN9OXA%3D%3D&amp;Expires=1776063297\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Organizations should also enforce strict server-side validation for all user-supplied input, especially values tied to role assignment. Access to sensitive endpoints like\u00a0<code>\/wp-admin\/admin-ajax.php<\/code>\u00a0must be tightly controlled, and internal <a href=\"https:\/\/cybersecuritynews.com\/pixel-perfect-extension-abuse-enables-covert-script-injection\/\" id=\"143956\" target=\"_blank\" rel=\"noreferrer noopener\">security tokens<\/a> should never be exposed in publicly accessible pages. <\/p>\n<p>The principle of least privilege should be applied across all user roles, and continuous monitoring for abnormal AJAX requests or unexpected privilege escalations must remain active at all times.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d6a29a83-6b17-4515-9ff5-e32e0847cd32\/Critical-WordPress-Plugin-Flaw-Lets-Attackers-Bypass-Authentication-and-Gain-Admin-Access.pdf?AWSAccessKeyId=ASIA2F3EMEYEZAWI5WVO&amp;Signature=HsMgVcFUAx7KNe0RTFDnRI3%2FgJ0%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQC6zI5ID6kV%2FTblFFaMtPLhWDgtaUrCdFoSx1rsbYfSdQIhAMewYTFKJtJv88VaiHmY%2BSWr7qmBGjtokKTRlIhwjIW%2FKvMECHAQARoMNjk5NzUzMzA5NzA1IgzbD%2BB7YJ%2FVP0PI7hoq0AT%2FObLNhf3Hc3A%2FOTlZivLxuHzQahbMDsYkg1EiPvJv%2FJLrpV4%2FVaO2fZttHnag6Nw2wmDABE2rLWvgvRR8Alhz7lYguqvdIaPZ0h1H8QBNV0KJHzeu1wHYeg%2F7BtQ6BfGPGsxYcVYK%2BkuJ8jcqdMPuhH%2FFmhfIMv1%2F7RbvGqbHS514M9gBYLVQfD6LTGW9PfFX0F5T1oB3suNmMNHlPWTQt2DJ2bR3WKaWR86yrBTjcI3Jt14yTjyDlVl8w49zgi%2BtXnv8ZrCJ607m8omegO5Cch8%2BUurC64dxXFt4u0JLjfVBoRe9RYUg2ugLntdRWNcThEpGuHu72nqjK79jFe2opDj%2BxddGsq0n9adyELPdcdujSUUXTs70okp1EsCNMkIR9W3tycTd%2BriE0eHM9e%2BBlwMDlzdg4%2BkXXif89UD540lZHfnPpN8XyA1YjbE%2BZAPcH2HOeFIHHw5rs7ttxEqWEs0ufz0Ir0LTQEcYrWyT%2BHYzq%2FjlKv5tZuafIVd1NNWTg%2Bun4gKDg5VcQhLZBH%2BYchxjS4d99I843kWSr%2FiUebZLpod0x5t8gAm5%2BeA9%2FRM%2BfYcIViy1KokOwaUAo0lk1EBw8fkL%2Bf1e2YNAp%2BLbU3duMxUbL4rlltbTtftslRIoLVwwlSRNBaB461ep20ybve6xnuhGIf9zaukI7VF9HO%2BBYz0Ujpz3YdSaFCLcs6yA74Ydro4lLEd9b680zDY%2BEfh%2FflRW%2BE9WCQVVqe%2F6mPelAVZYxVJPCge1fAQaS6hRwVM4NQp64Pp9igUrwohBMKyc8s4GOpcB7lZSnbpyfg5d1Ew5obYolfzJRUm41Pf3yK4uSz5x5qARVZr8EZ9uiPV2hKMIZg1wl00mznft635rjfA41qQZ%2FFKUEal7Vsp9UbIjJyhKGrphHfYwlfYhCrdbF95AqxYes19oOwPE8ADK2OroVvdTa00OQ%2BLhOakRRnfVi7d1XQYpiDO4hKTRuIQ7QCvmVGsdEDvMaN9OXA%3D%3D&amp;Expires=1776063297\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/wordpress-plugin-flaw-lets-attackers-bypass-authentication\/\">Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/wordpress-plugin-flaw-lets-attackers-bypass-authentication\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access A critical security flaw found in a widely used WordPress plugin is putting thousands of websites at serious risk worldwide. Tracked as CVE-2026-1492, this vulnerability affects the User Registration &amp; Membership plugin for WordPress and lets attackers completely bypass the login process to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12064","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12064"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12064"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12064\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12064"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12064"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12064"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}