WordPress Membership Plugin Flaw Lets Attackers Create Admin Accounts

A critical unauthenticated privilege-escalation vulnerability (CVE-2026-1492, CVSS 9.8) in the WordPress User Registration & Membership plugin (≤5.1.2) allows attackers to register accounts with an administrator role; active exploitation attempts were observed and the vendor patched the issue in version 5.1.3 — site owners should update immediately and audit for unauthorized admin accounts.