Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
WordPress User Registration & Membership Plugin Allows Unauthorized Access to Data
CVE-2026-4056
Summary
The User Registration & Membership plugin for WordPress has a security flaw that lets attackers with some access levels modify site rules, potentially exposing sensitive content or blocking legitimate users. This affects versions 5.0.1 to 5.1.4. Update to the latest version to fix the issue.
Original title
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versio...
Original description
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access.
nvd CVSS3.1
5.4
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.1/modules/...
- https://plugins.trac.wordpress.org/browser/user-registration/trunk/modules/conte...
- https://plugins.trac.wordpress.org/changeset/3485702/user-registration/trunk/mod...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7bb5a5a2-9644-4850-a5f...
Published: 24 Mar 2026 · Updated: 24 Mar 2026 · First seen: 24 Mar 2026