What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

CVE-2026-1492: WordPress Membership Plugin Actively Exploited for Admin Account Creation

A critical vulnerability in the User Registration & Membership plugin for WordPress is being actively exploited in the wild. The flaw, tracked as CVE-2026-1492 with a CVSS score of 9.8, allows unauthenticated attackers to create administrator accounts on affected sites. If you or a client is running this plugin, updating is urgent.

What the vulnerability does

The plugin, developed by WPEverest and installed on over 60,000 WordPress sites, accepts a user-supplied role value during membership registration without adequate validation. An attacker can exploit this by submitting a crafted registration request that assigns the administrator role to a newly created account - no authentication required.

An administrator account on WordPress has unrestricted access: installing and removing plugins and themes, editing PHP code, modifying security settings, changing site content, and locking out legitimate administrators. An attacker who obtains one can steal user data, embed malicious code to distribute malware to visitors, or use the site as infrastructure for phishing or command-and-control operations.

Active exploitation confirmed

Wordfence, the WordPress security firm behind the Wordfence plugin, reported blocking more than 200 exploitation attempts against customer sites in a single 24-hour window. This is not a theoretical risk - attacks are happening now, and the volume is likely to increase as the vulnerability becomes more widely known.

Affected versions and fix

All versions of User Registration & Membership through 5.1.2 are affected. WPEverest released a fix in version 5.1.3, and the current patched version is 5.1.4. Update to 5.1.4 immediately via your WordPress dashboard or by running wp plugin update user-registration via WP-CLI.

If updating is not immediately possible, disabling or uninstalling the plugin is the recommended interim measure. Leaving a vulnerable plugin active while deferring the update is not an acceptable middle ground given the severity of this flaw and the active exploitation underway.

A familiar pattern

Unauthenticated privilege escalation via plugin registration flows is a recurring WordPress vulnerability class. Earlier this year, a maximum-severity flaw in the Modular DS plugin (CVE-2026-23550) allowed the same outcome - remote admin access with no credentials. The pattern is consistent: plugins that handle user-supplied data during registration without validating the role or capability being requested create a direct path to full site takeover.

As we have covered previously, auditing the plugins installed on client sites is not a one-time task. If you manage WordPress sites for clients, now is a good moment to verify which plugins are installed, whether they are up to date, and whether any are abandoned or no longer receiving security fixes.

CVE-2026-1492: WordPress Membership Plugin Actively Exploited for Admin Account Creation

What the vulnerability does

Active exploitation confirmed

Affected versions and fix

A familiar pattern

Ready to Start Your Project?