CVE-2026-1492
Published: 03 March 2026
Summary
CVE-2026-1492 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring server-side validation of user-supplied role inputs against an allowlist during membership registration.
Enforces approved access authorizations, preventing the assignment of unauthorized privileged roles such as administrator during self-registration.
Establishes account management procedures including privilege validation and approval for new account creation, blocking improper privilege escalation via registration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables arbitrary account creation with administrator privileges, directly facilitating T1190 (Exploit Public-Facing Application) and T1136 (Create Account).
NVD Description
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due…
more
to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
Deeper analysisAI
CVE-2026-1492 is an improper privilege management vulnerability (CWE-269) affecting the User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress in all versions up to and including 5.1.2. The issue stems from the plugin accepting a user-supplied role during membership registration without enforcing a server-side allowlist, enabling attackers to bypass intended role restrictions. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high confidentiality, integrity, and availability impacts.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying an arbitrary role value, such as "administrator," during the membership registration process, attackers can create fully privileged administrator accounts on the target WordPress site, granting them complete control over the site’s content, users, and configuration.
Advisories reference a patch in WordPress plugin trac changeset 3469042 for the user-registration plugin, which likely addresses the server-side validation deficiency. Additional details are available in Wordfence threat intelligence at the provided vulnerability ID page, recommending immediate updates to mitigate exposure.
Details
- CWE(s)