CVE-2026-1321 HIGH

CVE-2026-1321: Membership Plugin – Restrict Content <= 3.2.20 - Unauthenticated Privilege Escalation via 'rcp_level'

Vendor Stellarwp
Product Membership Plugin – Restrict Content
Weakness CWE-862 · Missing authorization
Published March 5, 2026
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18.

Explanation of Vulnerability in Simple Terms

02Summary

The Membership Plugin – Restrict Content for WordPress contains an authorization bypass vulnerability affecting versions up to 3.2.20. An attacker can access restricted content or perform unauthorized actions without proper permission checks. The vulnerability requires specific network conditions but does not require user interaction or authentication. Site administrators should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Access restricted content or perform actions without proper authorization.

Potential impact on your site

04Site Impact

Restricted content may be visible to unauthorized users; membership controls may be bypassed.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 5, 2026 CVE published
April 8, 2026 Record updated