CVE-2026-1779 Overview
CVE-2026-1779 is an authentication bypass vulnerability in the User Registration & Membership plugin for WordPress. The flaw affects all versions up to and including 5.1.2. The vulnerability resides in the register_member function, which performs incorrect authentication checks. Unauthenticated attackers can log in as a newly registered user whose account carries the urm_user_just_created user meta value. The weakness is classified as [CWE-288] Authentication Bypass Using an Alternate Path or Channel. Successful exploitation grants attackers access to the target user account without supplying credentials.
Critical Impact
Unauthenticated network attackers can hijack newly registered WordPress accounts, gaining authenticated session access to the site without valid credentials.
Affected Products
- WordPress User Registration & Membership plugin versions up to and including 5.1.2
- WordPress sites with the membership module enabled
- Sites permitting public user registration through the plugin
Discovery Timeline
- 2026-02-26 - CVE-2026-1779 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-1779
Vulnerability Analysis
The vulnerability stems from flawed authentication logic in the register_member AJAX handler within the plugin's membership module. The function determines whether to authenticate a user based on the presence of the urm_user_just_created user meta flag. Any account carrying this metadata can be logged in through the handler without password verification. The handler is reachable over the network and requires no prior authentication. An attacker who can identify or trigger creation of a user with this meta value receives an authenticated session for that user.
Root Cause
The root cause is incorrect authentication in the register_member function. The plugin treats the urm_user_just_created user meta as proof of legitimate registration intent. It then calls WordPress authentication primitives to log the user in without validating the requester's identity or session. The meta flag persists on the account until explicitly cleared, widening the exposure window.
Attack Vector
The attack is delivered over the network through the plugin's AJAX endpoint. An unauthenticated attacker submits a crafted request to the register_member action targeting an account that holds the urm_user_just_created meta. The server completes the login sequence and returns valid authentication cookies. The attacker then operates as that user, accessing member-only content and account functions. Attack complexity is rated High because exploitation depends on the existence of accounts with the vulnerable meta flag. Technical specifics are documented in the WordPress AJAX.php source reference and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-1779
Indicators of Compromise
- Unexpected authenticated sessions tied to recently registered accounts with no corresponding password reset or login activity
- WordPress audit log entries showing register_member AJAX calls followed by immediate session creation for the same user
- User accounts retaining the urm_user_just_created user meta value beyond initial registration completion
- New administrative or elevated role assignments shortly after a registration event
Detection Strategies
- Monitor admin-ajax.php traffic for repeated action=register_member requests originating from unauthenticated sources
- Query the wp_usermeta table for accounts where meta_key='urm_user_just_created' persists past expected lifecycles
- Correlate plugin registration events with subsequent privileged actions taken by the same account within short time windows
Monitoring Recommendations
- Enable WordPress security plugin logging to capture authentication events and AJAX endpoint invocations
- Forward web server access logs and WordPress audit telemetry to a centralized analytics platform for correlation
- Alert on session establishment that bypasses standard wp-login.php flows for accounts created within the prior 24 hours
How to Mitigate CVE-2026-1779
Immediate Actions Required
- Update the User Registration & Membership plugin to a version released after 5.1.2 that addresses the register_member authentication logic
- Audit wp_usermeta for residual urm_user_just_created entries and remove them from any account where registration is complete
- Review recently created accounts for suspicious privilege assignments, posts, or settings changes and revoke unauthorized access
- Force password resets for accounts registered while the vulnerable version was active
Patch Information
Refer to the Wordfence Vulnerability Report for the fixed plugin version and vendor advisory details. Site operators should apply the patched release through the WordPress plugin updater and verify the installed version after upgrade.
Workarounds
- Disable the User Registration & Membership plugin until patching is complete if public registration is not business-critical
- Restrict access to admin-ajax.php for the register_member action through a web application firewall rule
- Temporarily disable open user registration in WordPress general settings to prevent creation of accounts carrying the vulnerable meta flag
# Example WAF rule concept to block exploitation attempts
# Deny unauthenticated POST requests to admin-ajax.php targeting register_member
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1002026,msg:'Block CVE-2026-1779 register_member abuse'"
SecRule ARGS:action "@streq register_member" \
"chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

