CVE-2026-1321 - Vulnerability Analysis

Overview

Membership Plugin – Restrict Content for WordPress <= 3.2.20 contains a privilege escalation caused by lack of validation on membership level ID in rcp_setup_registration_init(), letting unauthenticated attackers register with any membership level including privileged roles, exploit requires no authentication.

Severity & Score

Impact

Unauthenticated attackers can escalate privileges by registering with any membership level, including administrator roles, compromising site security.

Mitigation

Update to a version later than 3.2.20 or the latest available version.

References

• https://plugins.trac.wordpress.org/changeset/3460177/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/abfaa4a6-92b0-4233-b08d-e668090d3fc2?source=cve
• https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/class-rcp-registration.php#L107
• https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/memberships/class-rcp-membership.php#L1939
• https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/registration-functions.php#L1191
• https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/registration-functions.php#L1203
• https://plugins.trac.wordpress.org/changeset/3447187/

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 5, 2026

🟠 CVE-2026-1321 - High (8.1) The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via t... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1321/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner