CVE-2026-4136 MEDIUM

CVE-2026-4136: Membership Plugin – Restrict Content <= 3.2.24 - Unvalidated Redirect in Password Reset Flow via rcp_redirect

Vendor Stellarwp

Product Membership Plugin – Restrict Content

Weakness CWE-640 · Weak password recovery

Published March 20, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.

Key dates

02Disclosure timeline

March 20, 2026 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-4136

Related vulnerabilities

Identifiers

CVE CVE-2026-4136

CWE CWE-640

CVSS 4.3 / MEDIUM

Affected versions