Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites. The security vulnerability, tracked as CVE-2026-1492, has a critical severity rating of 9.8 and allows hackers to create administrator accounts without authentication. This level of access enables attackers to steal data, embed malicious code, and distribute malware to visitors.
What Happened
The vulnerability in the User Registration & Membership plugin, developed by WPEverest, provides membership and user registration management features, including custom forms, payment integrations with PayPal and Stripe, bank transfers, and analytics. Researchers at WordPress security firms have warned that the plugin's acceptance of user-supplied roles during membership registration allows hackers to create administrator accounts.
In a separate development, a Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation. Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family, which has breached hundreds of victims worldwide.
Why It Matters
The Phobos ransomware operation has collected ransom payments worth more than $39 million from over 1,000 public and private entities worldwide. Ptitsyn's guilty plea marks a significant development in the fight against ransomware.
State-affiliated hackers have also shifted their focus from gaining and maintaining access to operational technology (OT) networks to actively mapping out ways to disrupt physical industrial processes. This shift poses a significant threat, as fewer than one in 10 OT networks have monitoring in place to detect such activity.
What Experts Say
"The shift in tactics by state-affiliated hackers is a significant concern, as it indicates a desire to cause physical harm and disrupt critical infrastructure." — Dragos, industrial cybersecurity firm
Key Numbers
- 60,000: Number of WordPress sites affected by the User Registration & Membership plugin vulnerability
- $39 million: Ransom payments collected by the Phobos ransomware operation
- 1,000: Number of public and private entities breached by Phobos ransomware
- 1 in 10: Proportion of OT networks with monitoring in place to detect state-affiliated hacking activity
Key Facts
- Who: Evgenii Ptitsyn, Russian national and Phobos ransomware administrator
- What: Pleaded guilty to wire fraud conspiracy charge
- Where: United States
Background
The Phobos ransomware operation is linked to the Crysis ransomware family and has been widely distributed through many affiliates. The group has been active since at least November 2020 and has been responsible for numerous high-profile breaches.
What Comes Next
As cyber threats continue to escalate, it is essential for organizations to prioritize cybersecurity and implement robust measures to protect against attacks. This includes regularly updating software, implementing monitoring systems, and providing training to employees on cybersecurity best practices.