Does Restrict User Access – Ultimate Membership & Content Protection have any unpatched vulnerabilities?

No. All known vulnerabilities in Restrict User Access – Ultimate Membership & Content Protection have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Restrict User Access – Ultimate Membership & Content Protection compatible with WordPress 6.8.5?

According to WordPress.org data, Restrict User Access – Ultimate Membership & Content Protection 2.8 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Restrict User Access – Ultimate Membership & Content Protection Security & Risk Analysis

wordpress.org/plugins/restrict-user-access

Create Access Levels and restrict any post, page, category, etc. Supports bbPress, BuddyPress, WooCommerce, WPML, and more.

10K active installs v2.8 PHP 7.2+ WP 5.8+ Updated Oct 6, 2025

access-controlbbpresscapabilitiescontent-restrictionmembership

A · Safe

CVEs total2

Unpatched0

Last CVEMar 18, 2024

Plugin page Download

Safety Verdict

Is Restrict User Access – Ultimate Membership & Content Protection Safe to Use in 2026?

Generally Safe

Score 99/100

Restrict User Access – Ultimate Membership & Content Protection has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 18, 2024Updated 5mo ago

Risk Assessment

The "restrict-user-access" plugin v2.8 exhibits a generally good security posture, with no unprotected entry points identified in the static analysis. The plugin also demonstrates a strong commitment to security best practices by implementing a significant number of nonce and capability checks, indicating a conscious effort to protect against common WordPress vulnerabilities. Furthermore, the absence of critical or high severity taint flows suggests that sensitive data handling is likely being managed securely.

However, several areas warrant attention. The relatively low percentage of properly escaped output (35%) is a significant concern, as it exposes the plugin to potential Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not correctly sanitized before being displayed. While the vulnerability history shows no currently unpatched CVEs, the presence of two historical medium severity vulnerabilities, specifically XSS and improper access control, suggests a recurring pattern that, combined with the output escaping issue, indicates a potential for these types of flaws to re-emerge. The use of bundled libraries like Freemius and Select2 also introduces a potential risk if these libraries are not kept up-to-date, as they could harbor their own vulnerabilities.

In conclusion, while the plugin has strengths in its protected entry points and robust authentication checks, the low output escaping rate and past vulnerability history, particularly concerning XSS and access control, present clear risks that should be addressed. Proactive security efforts should focus on improving output escaping mechanisms and ensuring bundled libraries are current to mitigate these identified weaknesses.

Key Concerns

Low percentage of properly escaped output
History of XSS vulnerabilities
History of improper access control vulnerabilities
Bundled libraries (potential for outdated versions)

Vulnerabilities

Restrict User Access – Ultimate Membership & Content Protection Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-29138medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Restrict User Access – Membership Plugin with Force <= 2.5 - Reflected Cross-Site Scripting

Mar 18, 2024 Patched in 2.6 (5d)

CVE-2024-0687medium · 5.3Improper Access Control

Restrict User Access – Ultimate Membership & Content Protection <= 2.5 - Information Exposure

Feb 26, 2024 Patched in 2.6 (155d)

Code Analysis

Analyzed Mar 16, 2026

Restrict User Access – Ultimate Membership & Content Protection Code Analysis

Dangerous Functions

Raw SQL Queries

32 prepared

Unescaped Output

49 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

FreemiusSelect2

SQL Query Safety

65% prepared49 total queries

Output Escaping

35% escaped142 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

prepare_screen (admin\level-edit.php:366)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Restrict User Access – Ultimate Membership & Content Protection Attack Surface

Entry Points4

Unprotected0

AJAX Handlers 3

authwp_ajax_rua/user/suggestadmin\level-edit.php:24

authwp_ajax_rua/page/suggestadmin\level-edit.php:25

authwp_ajax_rua/membership/extendadmin\level-edit.php:26

Shortcodes 1

[login-form] app.php:152

WordPress Hooks 71

actionadmin_menuadmin\admin.php:24

actionin_admin_headeradmin\admin.php:105

actionadmin_enqueue_scriptsadmin\admin.php:109

actionadmin_bar_initadmin\admin_bar.php:32

actionadmin_bar_menuadmin\admin_bar.php:41

actionwp_headadmin\admin_bar.php:42

actionrua/admin/add_meta_boxesadmin\level-edit.php:23

filterwpca/condition/metaadmin\level-edit.php:28

actionwpca/group/settingsadmin\level-edit.php:213

actionadmin_footeradmin\level-edit.php:377

actionadmin_footeradmin\level-edit.php:381

actionin_admin_headeradmin\level-edit.php:432

filterset-screen-optionadmin\level-overview.php:28

actionwp_update_nav_menu_itemadmin\nav-menu.php:22

actionwp_nav_menu_item_custom_fieldsadmin\nav-menu.php:28

filterwp_edit_nav_menu_walkeradmin\nav-menu.php:37

filterwp_get_nav_menu_itemsadmin\nav-menu.php:47

filterhide_account_tabsadmin\screen_account.php:43

filterhide_billing_and_payments_infoadmin\screen_account.php:44

actionafter_account_detailsadmin\screen_account.php:54

actionadmin_initadmin\settings.php:48

actionadmin_enqueue_scriptsapp.php:95

actionshow_user_profileapp.php:101

actionedit_user_profileapp.php:105

actionpersonal_options_updateapp.php:109

actionedit_user_profile_updateapp.php:113

actiondelete_userapp.php:117

filtermanage_users_columnsapp.php:124

filtermanage_users_custom_columnapp.php:128

filtercas/metadata/populateapp.php:134

actionwpca/loadedapp.php:150

filtercas/user_visibilityapp.php:157

filteruser_has_capapp.php:168

filterconnect-headerfreemius.php:43

filterconnect_message_on_updatefreemius.php:50

filterconnect_messagefreemius.php:51

filterplugin_iconfreemius.php:52

filterpermission_extensions_defaultfreemius.php:53

filterhide_freemius_powered_byfreemius.php:54

actiontemplate_redirectlevel.php:36

filterrua/auth/page-no-accesslevel.php:50

filterthe_contentlevel.php:389

filterset_url_schemelist-members.php:430

filterset_url_schemelist-members.php:441

actionadmin_noticessrc\Autoloader.php:27

actioninitsrc\Level\PostType.php:20

filterget_edit_post_linksrc\Level\PostType.php:25

filterget_delete_post_linksrc\Level\PostType.php:31

filterpre_wp_update_comment_count_nowsrc\Level\PostType.php:37

actiondelete_postsrc\Level\PostType.php:43

actionwpca/loadedsrc\Membership\Automator\AutomatorService.php:14

filterrua/user_levelssrc\Membership\Automator\BPMemberTypeTraitAutomator.php:36

actionedd_complete_purchasesrc\Membership\Automator\EDDProductTriggerAutomator.php:36

actiongive_update_payment_statussrc\Membership\Automator\GiveWPDonationTriggerAutomator.php:36

filterrua/user_levelssrc\Membership\Automator\LoginStateTraitAutomator.php:28

actionuser_registersrc\Membership\Automator\RegistrationTriggerAutomator.php:27

filterrua/user_levelssrc\Membership\Automator\UserRoleTraitAutomator.php:23

actionset_user_rolesrc\Membership\Automator\UserRoleTriggerAutomator.php:28

actionwoocommerce_order_status_completedsrc\Membership\Automator\WooProductTriggerAutomator.php:36

actionparse_comment_querysrc\Membership\QueryFilters.php:18

filtercomments_clausessrc\Membership\QueryFilters.php:22

filtercomments_clausessrc\Membership\QueryFilters.php:82

actionauth_redirectsrc\Module\AdminAccess.php:20

filterlogin_redirectsrc\Module\AdminAccess.php:23

filtershow_admin_barsrc\Module\AdminBar.php:23

actionwp_headsrc\Module\ContentMode.php:34

filterrest_api_initsrc\Module\ContentMode.php:38

filterthe_contentsrc\Module\ContentMode.php:104

filterthe_contentsrc\Module\ContentMode.php:107

filterthe_excerptsrc\Module\ContentMode.php:108

filterrest_authentication_errorssrc\Module\RestApiContentProtection.php:28

Maintenance & Trust

Restrict User Access – Ultimate Membership & Content Protection Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 6, 2025

PHP min version7.2

Downloads618K

Community Trust

Rating86/100

Number of ratings94

Active installs10K

Alternatives

Restrict User Access – Ultimate Membership & Content Protection Alternatives

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

content-control

Restrict content based on login status, user roles, device type & more. Monetize your content with a paywall or members-only content.

40K 4 CVEs

Groups bbPress

groups-bbpress

100

Protect bbPress Forums, Topics and Replies using Groups.

40 No CVEs

Members – Membership & User Role Editor Plugin

members

The best WordPress membership and user role editor plugin. User Roles & Capabilities editor helps you restrict content in just a few clicks.

300K 1 CVE

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Build membership sites with tiered plans, content restriction, drag-&-drop custom registration & login form builder, and built-in payment system.

60K 29 CVEs

Groups

groups

Groups is an efficient and powerful solution, providing group-based user membership management, group-based capabilities and content access control.

10K 2 CVEs

Developer Profile

Restrict User Access – Ultimate Membership & Content Protection Developer Profile

Joachim Jensen

4 plugins · 41K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

651 days

View full developer profile

Detection Fingerprints

How We Detect Restrict User Access – Ultimate Membership & Content Protection

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/restrict-user-access/assets/css/style.css/wp-content/plugins/restrict-user-access/assets/js/vue-select.js/wp-content/plugins/restrict-user-access/assets/js/user-suggest.js/wp-content/plugins/restrict-user-access/assets/js/level-edit.js/wp-content/plugins/restrict-user-access/assets/js/access-level.js/wp-content/plugins/restrict-user-access/assets/js/conditions.js/wp-content/plugins/restrict-user-access/assets/js/page-suggest.js/wp-content/plugins/restrict-user-access/assets/js/membership.js

Script Paths

/wp-content/plugins/restrict-user-access/assets/js/vue-select.min.js/wp-content/plugins/restrict-user-access/assets/js/user-suggest.min.js/wp-content/plugins/restrict-user-access/assets/js/level-edit.min.js/wp-content/plugins/restrict-user-access/assets/js/access-level.min.js/wp-content/plugins/restrict-user-access/assets/js/conditions.min.js/wp-content/plugins/restrict-user-access/assets/js/page-suggest.min.js+1 more

Version Parameters

restrict-user-access/assets/css/style.css?ver=restrict-user-access/assets/js/vue-select.js?ver=restrict-user-access/assets/js/user-suggest.js?ver=restrict-user-access/assets/js/level-edit.js?ver=restrict-user-access/assets/js/access-level.js?ver=restrict-user-access/assets/js/conditions.js?ver=restrict-user-access/assets/js/page-suggest.js?ver=restrict-user-access/assets/js/membership.js?ver=

HTML / DOM Fingerprints

CSS Classes

rua-input-group

HTML Comments

Data Attributes

data-vue-app='true'

JS Globals

rua_paramsRUA_App

REST Endpoints

/wp-json/rua/v1/users/wp-json/rua/v1/pages/wp-json/rua/v1/memberships

FAQ