Cyber Resilience

CVE-2026-1492

Critical

Published: 03 March 2026

Published
03 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2553 97.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1492 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The User Registration & Membership plugin for WordPress, also known as Custom Registration Form Builder, is affected by an improper privilege management flaw in all versions through 5.1.2. The root cause is that the plugin accepts a user-supplied role parameter during membership registration without enforcing a server-side allowlist, enabling arbitrary role assignment.

Unauthenticated attackers can exploit the issue over the network by submitting a crafted registration request that specifies the administrator role, resulting in the immediate creation of a full-privileged account with complete control over the WordPress site.

A fix is available in the referenced WordPress plugin changeset that adds proper server-side role validation; administrators are advised to update immediately. The accompanying Wordfence advisory confirms the same remediation path and notes the vulnerability’s CVSS 9.8 rating.

EPSS for the CVE rose from a low baseline to a peak of 0.3899 on 2026-04-16 before receding to the current value of 0.2477, indicating a clear post-disclosure increase in exploitation interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due…

more

to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables arbitrary account creation with administrator privileges, directly facilitating T1190 (Exploit Public-Facing Application) and T1136 (Create Account).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2232Shared CWE-269
CVE-2025-6994Shared CWE-269
CVE-2025-13618Shared CWE-269
CVE-2025-13540Shared CWE-269
CVE-2026-2144Shared CWE-269
CVE-2026-7284Shared CWE-269
CVE-2025-13851Shared CWE-269
CVE-2026-7465Shared CWE-269
CVE-2026-22238Shared CWE-269
CVE-2024-12281Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that only explicitly authorized roles may be assigned to newly created accounts, blocking the unauthenticated attacker-supplied administrator role.

prevent

Requires server-side validation of the role parameter against an allow-list before account creation, eliminating the exact input-handling flaw described.

prevent

Limits the set of assignable privileges so that even a supplied role value cannot grant full administrative rights without explicit authorization.

References