Privilege Escalation in WordPress User Registration & Membership Plugin

Repository contains a single substantial Python exploit script (CVE-2026-1492.py), a README, and a license file. The script is an operational PoC for CVE-2026-1492 targeting WordPress sites running the User Registration & Membership plugin up to 5.1.2. Its purpose is full-chain unauthenticated privilege escalation: discover exposed membership/registration pages, harvest required form data and nonces, register a new user through the plugin’s frontend/AJAX workflow, submit a second AJAX request with crafted members_data containing role=administrator, then verify elevated access by requesting /wp-admin/ and /wp-admin/plugin-install.php. The code uses requests sessions, randomized user agents, concurrency via ThreadPoolExecutor, and rich for terminal UI. It supports bulk target processing from a targets list, logs discovery/registration/membership/admin-check artifacts to multiple local files, and writes successful admin credentials to Nx_admin.txt. Based on the README and visible code structure, this is not merely a detector; it is intended to create working administrator accounts on vulnerable WordPress instances.

This repository is a small standalone Python proof-of-concept for CVE-2026-1492 affecting the WPEverest WordPress User Registration & Membership plugin <= 5.1.2. The repo contains one executable file, exploit.py, plus README.md and ANALYSIS.md documentation. The exploit is not part of a larger framework. The exploit performs a two-stage network attack against a WordPress target. First, it fetches a supplied registration page and parses HTML and embedded JavaScript to extract required values: form_id, ur_frontend_form_nonce, a registration security token, a membership _wpnonce, and a membership_id. It then submits a registration request to /wp-admin/admin-ajax.php using the AJAX action user_registration_user_form_submit to create a new low-privilege user with randomly generated username/email and a hardcoded password. Second, it sends another POST to the same AJAX endpoint using action user_registration_membership_register_member. In this request it places crafted JSON in members_data, most importantly role=administrator and username=<new user>. This is the core exploit capability: abusing the vulnerable membership registration flow to assign an arbitrary WordPress role to the newly created account. If the server accepts the request, the script reports likely privilege escalation and prints the credentials and admin URL. Repository structure and purpose: - exploit.py: main exploit logic, token extraction, session handling, registration, and privilege-escalation request. - README.md: usage instructions, affected product/version, exploitation flow, and expected output. - ANALYSIS.md: root-cause analysis of the vulnerable plugin code path and data flow. Notable implementation details: - Uses requests.Session() to preserve cookies across both requests. - Uses BeautifulSoup and regex/json parsing to scrape tokens from the registration page. - Targets WordPress AJAX endpoint /wp-admin/admin-ajax.php. - Requires operator-supplied target base URL and registration page URL. - Includes a --debug option to print the final exploit request body and server response. Overall, this is a real operational PoC for unauthenticated network-based privilege escalation that results in administrator account creation on vulnerable WordPress sites.

Repository contains a single PHP script (CVE-2026-1492.php) intended as a network-based PoC exploit against a WordPress site using the User Registration plugin (membership functionality implied). The script prompts for (1) the base site URL and (2) a registration page URL, then uses cURL to fetch the registration page, parse HTML/embedded JS to extract form identifiers and nonce/security tokens (e.g., ur-user-form-id, ur_frontend_form_nonce, and a JS variable user_registration_params.user_registration_form_data_save; also attempts to extract a membership _nonce from ur_membership_frontend_localized_data). It then targets the WordPress AJAX endpoint at <site_url>/wp-admin/admin-ajax.php with two POST actions: first, user_registration_user_form_submit to create a new user with a random username/email and password "password"; second, user_registration_membership_register_member with members_data containing role="administrator" and the created username, attempting to obtain admin privileges. Notable issues/quirks: the script currently calls get_data($registration_url,true) with an invalid request_type (boolean true), and it exits early (exit() after printing the first response), meaning the exploit path is unreachable unless the exit is removed. There are also variable inconsistencies (e.g., $jsContent2 referenced but not defined) and a misuse of the cookie parameter (a cookie string is passed where headers are expected in one call). Despite these bugs, the intended exploit logic is clear: abuse WordPress admin-ajax actions to create an account and escalate it to administrator.