Hackers are exploiting a essential vulnerability within the Consumer Registration & Membership plugin, which is put in on greater than 60,000 WordPress websites.
Developed by WPEverest, the plugin gives membership and consumer registration administration options, together with customized kinds, cost integrations with PayPal and Stripe, financial institution transfers, and analytics.
The safety vulnerability is tracked as CVE-2026-1492 and obtained a essential severity ranking of 9.8. As a result of the plugin accepts a user-supplied position throughout membership registration, hackers can create administrator accounts with out authentication.
An administrator account has full entry on the web site, and it’s required to put in plugins and themes, edit PHP code, change safety settings, modify web site content material, and lock out respectable house owners or admins.
An attacker with this stage of entry can steal knowledge, such because the database of registered customers, and embed malicious code to distribute malware to guests.
Researchers at WordPress safety firm Defiant, the maker of the Wordfence safety plugin, blocked greater than 200 makes an attempt to use CVE-2026-1492 in buyer environments prior to now 24 hours.
The vulnerability impacts all variations of Consumer Registration & Membership by way of 5.1.2. The developer launched a repair in model 5.1.3 of the plugin. Web site admins are suggested to replace to the most recent model of the plugin, which is presently 5.1.4, launched final week.
If updating isn’t doable, the advice is to quickly disable or uninstall the plugin.
Based on Wordfence knowledge, CVE-2026-1492 is probably the most extreme vulnerability within the Consumer Registration & Membership plugin disclosed this yr.
Hackers are continuously focusing on WordPress websites for malicious actions that embody malware distribution, phishing, internet hosting command-and-control servers, proxy malicious site visitors, or to retailer stolen knowledge.
In January 2026, hackers started exploiting a maximum-severity flaw (CVE-2026-23550) within the Modular DS WordPress plugin, permitting them to bypass authentication remotely and entry weak websites with admin-level privileges.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
