Description
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
Published: 2026-03-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unvalidated Redirect for Phishing
Action: Patch
AI Analysis

Impact

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to an unvalidated redirect in the password reset process. The plugin fails to properly validate the rcp_redirect parameter, allowing an unauthenticated attacker to embed a malicious URL in the password reset email. If the user follows the link, they are redirected to the attacker’s site, enabling credential harvesting or other social‑engineering attacks. The weakness is classified as CWE‑640.

Affected Systems

All installations of the Restrict Content membership plugin version 3.2.24 and earlier, maintained by StellarWP, are affected. The CNAs list the product as StellarWP:Membership Plugin – Restrict Content, with every prior release vulnerable to this flaw.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a phishing scenario where an attacker sends a password‑reset email containing a malicious redirect link. Since the redirect is not constrained, exploitation requires only convincing the user to click the link, making the risk moderate to high for sites that use the password‑reset feature.

Generated by OpenCVE AI on March 20, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Restrict Content plugin (v3.2.25 or newer) to remove the unvalidated redirect flaw.
  • If an immediate upgrade is not possible, block or sanitize the rcp_redirect query parameter so it only accepts trusted URLs.
  • Disable automatic sending of password reset emails if they are not needed, or enforce email verification to reduce the attack surface.
  • Monitor user accounts for unusual sign‑ins or repeated reset requests that may indicate exploitation.

Generated by OpenCVE AI on March 20, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Stellarwp
Stellarwp membership Plugin - Restrict Content
Wordpress
Wordpress wordpress
Vendors & Products Stellarwp
Stellarwp membership Plugin - Restrict Content
Wordpress
Wordpress wordpress

Fri, 20 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
Title Membership Plugin – Restrict Content <= 3.2.24 - Unvalidated Redirect in Password Reset Flow via rcp_redirect
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Stellarwp Membership Plugin - Restrict Content
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:42.603Z

Reserved: 2026-03-13T14:50:43.889Z

Link: CVE-2026-4136

cve-icon Vulnrichment

Updated: 2026-03-20T14:09:33.506Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T04:16:50.517

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-4136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:37:29Z

Weaknesses