'Update immediately': 60,000 WordPress websites at risk after experts discover flaw that allows hackers to create hidden admin accounts

1. Pro
2. Security

'Update immediately': 60,000 WordPress websites at risk after experts discover flaw that allows hackers to create hidden admin accounts News By Efosa Udinmwen published 18 April 2026

Attackers exploit the AJAX endpoint to bypass authentication and authorization controls

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock/David MG)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore An account already exists for this email address, please log in. Subscribe to our newsletter

• User Registration & Membership plugin flaw allows attackers to gain admin access without login
• Exposed nonce values enable unauthorized backend requests and privilege escalation
• Sensitive user data becomes exposed once administrative privileges are obtained

A critical security flaw in a widely used WordPress plugin allows unauthenticated attackers to bypass authentication controls and gain full administrative access to affected websites.

The vulnerability, tracked as CVE-2026-1492, affects the User Registration & Membership plugin, versions 5.1.2 and earlier.

Experts at Cyfirma say improper server-side validation and weak authorization checks within the membership registration workflow create this dangerous gap.

Article continues below You may like

• Hackers exploiting WordPress membership plugin bug to create admin accounts
• Around 500,000 WordPress websites could be at risk from crucial plugin security flaw
• 50,000 WordPress site affected in major plugin security flaw - here's how to stay safe

How attackers exploit the vulnerability without any credentials

Attackers can abuse exposed client-side data and insufficient backend validation to manipulate parameters that directly influence authentication and privilege assignment.

The vulnerability stems from trusting user-controlled input rather than enforcing strict server-side validation.

Backend endpoints process membership-related actions without proper authentication or authorization checks.

This weakness becomes dangerous because exposed nonce values within client-side JavaScript are accessible to unauthenticated users.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Attackers can then reuse these nonce values in crafted requests to manipulate backend behavior, even for website builders.

By inspecting these values, attackers can construct malicious requests targeting the WordPress AJAX endpoint at /wp-admin/admin-ajax.php.

The backend processes these requests without verifying the request origin or authorization state.

What to read next

• Nearly a million WordPress websites could be at risk from this serious plugin security flaw
• Another worrying WordPress plugin security flaw could put 250,000 websites at risk
• More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected

This results in automatic authentication and privilege escalation, where administrative access is granted without any legitimate login process taking place.

Successful exploitation grants attackers unrestricted administrative privileges over the entire WordPress environment.

With this level of access, attackers can install malicious plugins and modify themes to execute arbitrary code.

They can also access sensitive user data, including credentials and configuration files.

Hidden admin accounts can be created to ensure persistent access even after initial detection.

These attackers can also redirect website visitors to phishing pages or malware distribution sites.

Website defacement, content tampering, and malicious script injection become trivial once administrative control is established.

All versions of the User Registration & Membership plugin up to and including version 5.1.2 are vulnerable to this flaw - but the issue has been addressed in version 5.1.3 through improved validation and authorization mechanisms — so website administrators must update immediately.

After updating, administrators should review existing user accounts, especially those with administrative privileges, which will help identify any unauthorized accounts created before patching.

Suspicious sessions should be invalidated, and credentials reset if compromise is suspected.

The vulnerability carries a CVSS v4.0 score of 9.8 out of 10, indicating critical severity.

Observed discussions in underground forums show active interest in exploiting this vulnerability.

Hackers are already sharing exploitation techniques among themselves and discussing automation strategies.

Initial Access Brokers may leverage this flaw to obtain administrative access and resell it for ransomware deployment, SEO spam campaigns, or credential harvesting operations.

Given the low complexity of exploitation and public awareness of the technique, website owners running the affected plugin should treat their systems as actively at risk and prioritize remediation immediately.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS WordPress Efosa UdinmwenFreelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Security Hackers exploiting WordPress membership plugin bug to create admin accounts    Security Around 500,000 WordPress websites could be at risk from crucial plugin security flaw    Security 50,000 WordPress site affected in major plugin security flaw - here's how to stay safe    Security Nearly a million WordPress websites could be at risk from this serious plugin security flaw    Security Another worrying WordPress plugin security flaw could put 250,000 websites at risk    Security More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected    Latest in Security Security Cisco tells Webex users to patch critical security flaws immediately    Security Google claims Gemini AI helped it block over 8.3 billion malicious ads in 2025    Security Disgruntled researcher releases second major Defender zero-day    Security Europol launches Operation PowerOFF — warns 75,000 DDoS users and takes down 53 domains    Security Microsoft experts warn North Korean attackers are targeting macOS users    Security China completes testing on tool capable of slicing undersea cables    Latest in News Streaming Devices Amazon warns Fire TV Stick HD buyers that they can't sideload apps    Gaming Marvel Rivals now finally lets us play as Black Cat, but her awful posture makes me worry for her back — 'I just know her spine is killing her!'    Websites & Apps It's time to remove YouTube Shorts, thanks to a new time limit option    Tech ICYMI: the 7 biggest tech stories of the week    Hybrid & Electric Vehicles Tesla owners in Europe demand $7,500 refund as Full Self-Driving anger grows    Pro OpenAI exec says AI 'doomers' are holding back ‘incredible economic opportunities’    LATEST ARTICLES

1. 1'Update immediately': 60,000 WordPress websites at risk after experts discover flaw that allows hackers to create hidden admin accounts
2. 2'No onboard pilot needed': Massive 2-ton VTOL “mega drone” just hauled fresh tea leaves over 75 miles autonomously
3. 3Dead as Disco is easily one of the best indie games I’ve ever played — and after 20 hours of demo, it beats the ‘brilliant’ Hi-Fi Rush in one major way
4. 4Sorry Apple, the iPhone 17e is slick but the OnePlus 15R is a bigger bargain
5. 5Lepow TriScreen Pro review: This 27in 4K monitor with dual detachable 16in side screens is a space-saver for your desk