1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Hackers exploiting WordPress membership plugin bug to create admi

    From TechnologyDaily@1337:1/100 to All on Friday, March 06, 2026 17:15:27
    Hackers exploiting WordPress membership plugin bug to create admin accounts

    Date:
    Fri, 06 Mar 2026 17:10:00 +0000

    Description:
    A popular WordPress plugin can be abused to take over websites - with thousands of sites reportedly vulnerable.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter Sign up for
    breaking news, reviews, opinion, top tech deals, and more. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
    now subscribed Your newsletter sign-up was successful An account already exists for this email address, please log in. Subscribe to our newsletter Critical flaw found in WordPress plugin allowing attackers to register admin accounts unauthenticated Over 37,000 sites currently exposed Tens of
    thousands of WordPress websites are vulnerable to full site takeover, thanks to a critical-severity vulnerability just discovered in a popular plugin.

    Security researchers at Defiant reported finding a bug in User Registration & Membership, a WordPress plugin which helps admins create subscription plans, control user access, and accept payments. The bug is due to the plugin accepting user-supplied roles during membership registration, without
    properly enforcing a server-side allowlist. As a result, unauthenticated attackers can create admin accounts by supplying a role value at
    registration. You may like 50,000 WordPress site affected in major plugin security flaw - here's how to stay safe Hackers exploit WordPress plugin security flaw exposing 40,000 websites to complete takeover risk - here's how to stay safe Sneeit WordPress RCE flaw allows hackers to add themselves as admin - here's how to stay safe Actively abused The bug is described as improper privilege management and is now tracked as CVE- 2026-1492. It has a severity score of 9.8/10 (critical) and affects all versions of the plugin up to, and including, 5.1.2. It was fixed in version 5.1.3 which is now
    available for download.

    The researchers said they saw more than 200 attempts to exploit this vulnerability in just 24 hours, suggesting that cybercriminals are well aware of the flaw and are actively looking for exposed websites.

    The attack surface is rather large, too, as according to the official WordPress repository, User Registration & Membership is installed on more
    than 60,000 active websites, and the vast majority (62.7%) are running versions 4.4 and older.

    That means at least 37,000 websites are currently susceptible to the improper privilege management bug. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features
    and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    To make matters worse, the plugin page does not differentiate between
    versions 5.1.2 and 5.1.3, so it is quite possible that the actual number of vulnerable websites is even greater.

    With an admin account, threat actors can wreak all sorts of havoc, from exfiltrating sensitive data, to using the website as a host for malware. They can also redirect legitimate traffic to malicious websites ridden with ads, can trick users into sharing login credentials, and more.

    Via BleepingComputer The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/hackers-exploiting-wordpress-membership -plugin-bug-to-create-admin-accounts


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)