Vulnerabilities and security researches forrestrict-content restrict-content
Direction: descendingApr 15, 2026
Membership Plugin – Restrict Content # CVE-2026-1304
- CVE, Research URL
- Application
- Date
- Feb 18, 2026
- Research Description
- The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.2.19.
- Status
-
vulnerable
Membership Plugin – Restrict Content # CVE-2026-1321
- CVE, Research URL
- Application
- Date
- Mar 05, 2026
- Research Description
- The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18.
- Affected versions
-
max 3.2.21.
- Status
-
vulnerable
Apr 13, 2026
Membership Plugin – Restrict Content # CVE-2026-4136
- CVE, Research URL
- Application
- Date
- Mar 20, 2026
- Research Description
- The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
- Affected versions
-
max 3.2.25.
- Status
-
vulnerable
Membership Plugin – Restrict Content # CVE-2026-32546
- CVE, Research URL
- Application
- Date
- Mar 25, 2026
- Research Description
- Missing Authorization vulnerability in StellarWP Restrict Content restrict-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Content: from n/a through <= 3.2.22.
- Affected versions
-
max 3.2.23.
- Status
-
vulnerable
Jan 28, 2026
Membership Plugin – Restrict Content # CVE-2025-14844
- CVE, Research URL
- Application
- Date
- Jan 16, 2026
- Research Description
- The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
- Affected versions
-
max 3.2.17.
- Status
-
vulnerable
Jan 10, 2026
Membership Plugin – Restrict Content # CVE-2025-14000
- CVE, Research URL
- Application
- Date
- Dec 23, 2025
- Research Description
- The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.2.16.
- Status
-
vulnerable
Jan 28, 2025
Membership Plugin – Restrict Content # CVE-2024-11090
- CVE, Research URL
- Application
- Date
- Jan 26, 2025
- Research Description
- The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.13 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
- Affected versions
-
max 3.2.14.
- Status
-
vulnerable
Jun 07, 2024
Membership Plugin – Restrict Content # CVE-2024-31432
- CVE, Research URL
- Application
- Date
- Apr 15, 2024
- Research Description
- Missing Authorization vulnerability in StellarWP Restrict Content.This issue affects Restrict Content: from n/a through 3.2.8.
- Affected versions
-
max 3.2.9.
- Status
-
vulnerable
Membership Plugin – Restrict Content # CVE-2023-3182
- CVE, Research URL
- Application
- Date
- Jul 17, 2023
- Research Description
- The Membership WordPress plugin before 3.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
- Affected versions
-
max 3.2.8.
- Status
-
vulnerable
Membership Plugin – Restrict Content # 0385b9c1aded3b04d2a87cde20a8adc8be7153cc
- CVE, Research URL
- Application
- Date
- Jun 23, 2023
- Research Description
- Membership Plugin – Restrict Content [restrict-content] < 3.2.3 (closed) Restrict Content <= 3.2.2 - Reflected Cross-Site Scripting The Restrict Content plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via POST data from the rcp_ajax_dismissed_notice_handler() function in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 3.2.3.
- Status
-
vulnerable
Membership Plugin – Restrict Content # CVE-2023-47668
- CVE, Research URL
- Application
- Date
- Nov 23, 2023
- Research Description
- Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StellarWP Membership Plugin – Restrict Content plugin <= 3.2.7 versions.
- Affected versions
-
max 3.2.8.
- Status
-
vulnerable