Attackers are mass-creating admin accounts on thousands of websites. π
CVE-2026-1492 Β· Severity 9.8 Β· Unauthorized Admin Creation in User Registration for WordPress.
We are seeing a massive wave of automated attacks targeting @[WordPress](urn:li:organization:1202953) sites. A critical flaw in a popular user registration plugin allows unauthenticated attackers to create new administrator accounts, granting them full control over the site.
Over 60,000 sites are currently at risk, with exploitation attempts spiking in the last 24 hours. Attackers are using this access to inject malicious scripts, redirect traffic, and exfiltrate user databases. This is a low-barrier, high-impact exploit being used for mass web compromise.
The uncomfortable truth: A single unpatched plugin can turn your public web presence into a tool for state-sponsored malware distribution.
β Update the User Registration & Membership plugin to version 3.2.1 or higher immediately.
β Audit your WordPress user list for any unauthorized accounts with ‘Administrator’ roles.
β Implement a Web Application Firewall (WAF) to block unauthorized registration requests at the edge.
Do you have a real-time inventory of every third-party plugin running on your corporate web servers? π
#Cybersecurity #WebSecurity #AppSec #WordPress #SOC #CodeDefence