CVE-2026-1779 HIGH

CVE-2026-1779: User Registration & Membership <= 5.1.2 - Authentication Bypass

Vendor Wpeverest
Product User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
Weakness CWE-288
Published February 26, 2026
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.

Explanation of Vulnerability in Simple Terms

02Summary

User Registration & Membership plugin for WordPress versions 5.1.2 and earlier contains an authentication bypass vulnerability. An attacker can gain unauthorized access to user accounts and sensitive data without valid credentials. The vulnerability requires specific network conditions to exploit but does not require user interaction. Site administrators should update immediately to a version newer than 5.1.2.

What an attacker can do

03Attacker Capabilities

Bypass authentication and gain unauthorized access to user accounts and sensitive site data.

Potential impact on your site

04Site Impact

User accounts and sensitive data are at risk of unauthorized access and modification.

Conditions required to exploit

05Prerequisites

Network access to the site; no user credentials or interaction required.

Key dates

06Disclosure timeline

February 26, 2026 CVE published
April 8, 2026 Record updated