According to Roger Montti’s article on Search Engine Journal, “WordPress User Registration & Membership Plugin Vulnerability,” a critical security flaw has been discovered in the User Registration & Membership WordPress plugin, potentially affecting over 60,000 websites.
Critical Vulnerability Overview
Montti reports that the vulnerability is rated 9.8/10 (Critical) and allows unauthenticated attackers to create administrator-level accounts, effectively giving them full control over affected WordPress sites.
The plugin is widely used to build membership-based websites, handling user registrations, role assignments, content restrictions, and subscription access.
Root Cause: Improper Privilege Management
The issue stems from improper role validation during user registration. According to Montti, the plugin accepts a user-supplied role value but fails to enforce a server-side allowlist of permitted roles.
Because of this missing check, attackers can manipulate the registration process and assign themselves the administrator role, thereby bypassing WordPress’s normal restrictions.
Potential Impact
With administrator access, attackers can:
- Install or remove plugins and themes.
- Upload malicious code
- Create or delete user accounts.
- Access or manipulate site data
As Montti explains, this level of access amounts to a complete site takeover.
Affected Versions and Fix
The vulnerability affects all versions up to and including 5.1.2 and has been patched in version 5.1.3, which enforces stricter role validation during registration.
Recommended Action
Site owners using the plugin are strongly advised to update immediately. Because the vulnerability does not require authentication, any unpatched site remains exposed to attackers, who can create administrator accounts and take control.
Montti’s report highlights once again how missing permission checks in user registration workflows remain one of the most dangerous classes of vulnerabilities in WordPress plugins.