CVE-2026-1321
Published: 05 March 2026
Summary
CVE-2026-1321 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the identified flaw in the plugin's registration function through patching or replacement.
Enforces missing authorization checks on the rcp_level parameter and role assignment to prevent unauthenticated privilege escalation.
Requires validation of the rcp_level POST input to ensure the membership level is active and payment-required before processing registration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables privilege escalation to administrator roles via manipulated registration without authorization checks.
NVD Description
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without…
more
validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18.
Deeper analysisAI
CVE-2026-1321 is a privilege escalation vulnerability affecting the Membership Plugin – Restrict Content for WordPress in all versions up to and including 3.2.20. The issue stems from the `rcp_setup_registration_init()` function, which accepts any membership level ID through the `rcp_level` POST parameter without verifying whether the level is active or requires payment. This flaw combines with the `add_user_role()` method, which assigns the configured WordPress role for the membership level without performing status checks, enabling unauthorized role assignments.
Unauthenticated attackers can exploit this vulnerability over the network by submitting a registration request with a manipulated `rcp_level` POST parameter specifying any desired membership level. This allows them to self-register for inactive levels that grant privileged WordPress roles, such as Administrator, or paid levels that normally require a sign-up fee, without any validation or payment. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high impact on confidentiality, integrity, and availability, linked to CWE-862 (Missing Authorization).
The vulnerability was partially patched in version 3.2.18, though versions up to 3.2.20 remain affected. References point to specific code locations in the plugin's source, including `class-rcp-registration.php` at line 107, `class-rcp-membership.php` at line 1939, and `registration-functions.php` at lines 1191 and 1203 in tag 3.2.15, along with changeset 3447187, which likely details the partial fix. Security practitioners should urge immediate updates to the latest plugin version and review membership level configurations to ensure no inactive privileged levels exist.
Details
- CWE(s)