CVE-2026-1321

Membership Plugin – Restrict Content <= 3.2.20 - Unauthenticated Privilege Escalation via 'rcp_level'

highMissing Authorization

8.1

CVSS Score

8.1

CVSS Score

high

Severity

3.2.21

Patched in

Time to patch

Description

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<=3.2.20

PublishedMarch 4, 2026

Last updatedMarch 5, 2026

Affected pluginrestrict-content

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/abfaa4a6-92b0-4233-b08d-e668090d3fc2?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database