CVE-2026-1492
Published: 03 March 2026
Summary
CVE-2026-1492 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The User Registration & Membership plugin for WordPress, also known as Custom Registration Form Builder, is affected by an improper privilege management flaw in all versions through 5.1.2. The root cause is that the plugin accepts a user-supplied role parameter during membership registration without enforcing a server-side allowlist, enabling arbitrary role assignment.
Unauthenticated attackers can exploit the issue over the network by submitting a crafted registration request that specifies the administrator role, resulting in the immediate creation of a full-privileged account with complete control over the WordPress site.
A fix is available in the referenced WordPress plugin changeset that adds proper server-side role validation; administrators are advised to update immediately. The accompanying Wordfence advisory confirms the same remediation path and notes the vulnerability’s CVSS 9.8 rating.
EPSS for the CVE rose from a low baseline to a peak of 0.3899 on 2026-04-16 before receding to the current value of 0.2477, indicating a clear post-disclosure increase in exploitation interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9277
Vulnerability details
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due…
more
to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables arbitrary account creation with administrator privileges, directly facilitating T1190 (Exploit Public-Facing Application) and T1136 (Create Account).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces that only explicitly authorized roles may be assigned to newly created accounts, blocking the unauthenticated attacker-supplied administrator role.
Requires server-side validation of the role parameter against an allow-list before account creation, eliminating the exact input-handling flaw described.
Limits the set of assignable privileges so that even a supplied role value cannot grant full administrative rights without explicit authorization.