Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access

**Executive summary:** A critical unauthenticated authentication-bypass vulnerability (CVE-2026-1492, CVSS 9.8) in the WordPress User Registration & Membership plugin (≤5.1.2) exposes nonces and AJAX endpoints that allow remote attackers to gain full administrator access; site operators must update to version 5.1.3 immediately, review and remove unauthorized admin accounts, invalidate suspicious sessions, and enforce server-side validation and tighter access controls.