WordPress membership plugin bug exploited to create admin accounts

A critical vulnerability (CVE-2026-1492, CVSS 9.8) in the User Registration & Membership WordPress plugin (installed on >60,000 sites) allows unauthenticated attackers to specify roles and create administrator accounts; Wordfence reported blocking more than 200 exploitation attempts in 24 hours and site owners are advised to update to 5.1.3/5.1.4 or disable the plugin to mitigate full site compromise.