Authentication Bypass in User Registration & Membership Plugin for WordPress
CVE-2026-1779

8.1HIGH

Key Information:

Vendor: WordPress
Status: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-1779?

The User Registration & Membership plugin for WordPress is susceptible to an authentication bypass, allowing unauthenticated attackers to log in as a newly registered user. This vulnerability arises from inadequate authentication checks within the 'register_member' function, particularly affecting versions up to 5.1.2. If the 'urm_user_just_created' user meta is set, an attacker can exploit this flaw to gain access without valid credentials, posing significant security risks to affected WordPress sites.

Affected Version(s)

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 0 <= 5.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/user-registrat...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 2, 2026

Credit

Jude Nwadinobi

CVE-2026-1779 Data

JSON