Hackers are exploiting a crucial vulnerability within the Consumer Registration & Membership plugin, which is put in on greater than 60,000 WordPress websites.
Developed by WPEverest, the plugin supplies membership and person registration administration options, together with customized varieties, cost integrations with PayPal and Stripe, financial institution transfers, and analytics.
The security vulnerability is tracked as CVE-2026-1492 and acquired a crucial severity score of 9.8. As a result of the plugin accepts a user-supplied position throughout membership registration, hackers can create administrator accounts with out authentication.
An administrator account has full entry on the web site, and it’s required to put in plugins and themes, edit PHP code, change security settings, modify website content material, and lock out authentic house owners or admins.
An attacker with this stage of entry can steal knowledge, such because the database of registered customers, and embed malicious code to distribute malware to guests.
Researchers at WordPress security firm Defiant, the maker of the Wordfence security plugin, blocked greater than 200 makes an attempt to use CVE-2026-1492 in buyer environments prior to now 24 hours.
The vulnerability impacts all variations of Consumer Registration & Membership via 5.1.2. The developer launched a repair in model 5.1.3 of the plugin. Web site admins are suggested to replace to the newest model of the plugin, which is presently 5.1.4, launched final week.
If updating just isn’t doable, the advice is to briefly disable or uninstall the plugin.
Based on Wordfence knowledge, CVE-2026-1492 is probably the most extreme vulnerability within the Consumer Registration & Membership plugin disclosed this 12 months.
Hackers are always concentrating on WordPress websites for malicious actions that embrace malware distribution, phishing, internet hosting command-and-control servers, proxy malicious visitors, or to retailer stolen knowledge.
In January 2026, hackers started exploiting a maximum-severity flaw (CVE-2026-23550) within the Modular DS WordPress plugin, permitting them to bypass authentication remotely and entry weak websites with admin-level privileges.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your security stack is blinded.
