Description
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Membership Plugin – Restrict Content plugin for WordPress carries a privilege escalation vulnerability that exists in all releases up to version 3.2.20. The flaw is in the rcp_setup_registration_init() function, which accepts the rcp_level POST parameter without verifying that the membership level is active or that a payment is required. Because add_user_role() assigns the WordPress role configured for that level without any status checks, an unauthenticated attacker can register with any level, including inactive levels that grant privileged roles such as Administrator, or paid levels that would normally trigger a sign‑up fee. This allows creation of fully privileged user accounts without authentication or payment.

Affected Systems

The affected product is the StellarWP Membership Plugin – Restrict Content. All releases up to and including version 3.2.20 are vulnerable; no other vendors or later versions are listed as affected.

Risk and Exploitability

The CVSS v3.1 base score for this issue is 8.1 (High), and the EPSS exploitation probability is reported as less than 1%, indicating a low overall likelihood at the present time. The vulnerability is not present in the CISA KEV catalog. An attacker can exploit the flaw by sending an unauthenticated HTTP POST request to the plugin’s registration endpoint with any desired rcp_level value. Because the plugin does not validate the level against activation or payment status, the user is created and immediately granted the WordPress role associated with the supplied level. The partial patch introduced in version 3.2.18 does not fully mitigate the issue, and exploitation remains possible until a complete fix is applied in later releases.

Generated by OpenCVE AI on April 15, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Membership Plugin – Restrict Content to any version newer than 3.2.20, which contains the full patch that validates membership level status before assigning roles.
  • If an upgrade cannot be performed immediately, restrict the rcp_level POST parameter to a whitelist of authorized membership levels, or disable public registration altogether to prevent unauthenticated registrations.
  • As an additional temporary safeguard, enforce a check that the membership level is active and paid before assigning the WordPress role, or remap any newly created Administrator accounts to a less privileged role.

Generated by OpenCVE AI on April 15, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Stellarwp
Stellarwp membership Plugin - Restrict Content
Wordpress
Wordpress wordpress
Vendors & Products Stellarwp
Stellarwp membership Plugin - Restrict Content
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18.
Title Membership Plugin – Restrict Content <= 3.2.20 - Unauthenticated Privilege Escalation via 'rcp_level'
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Stellarwp Membership Plugin - Restrict Content
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:45.884Z

Reserved: 2026-01-22T01:21:39.470Z

Link: CVE-2026-1321

cve-icon Vulnrichment

Updated: 2026-03-05T14:54:58.130Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T08:15:57.957

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-1321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses