What the vulnerability does
01Description
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18.
Explanation of Vulnerability in Simple Terms
02Summary
The Membership Plugin – Restrict Content for WordPress contains an authorization bypass vulnerability affecting versions up to 3.2.20. An attacker can access restricted content or perform unauthorized actions without proper permission checks. The vulnerability requires specific network conditions but does not require user interaction or authentication. Site administrators should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Access restricted content or perform actions without proper authorization.
Potential impact on your site
04Site Impact
Restricted content may be visible to unauthorized users; membership controls may be bypassed.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 5, 2026
CVE published
April 8, 2026
Record updated