Cyber Resilience

CVE-2026-1321

High

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 26.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1321 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1321 is a privilege escalation vulnerability affecting the Membership Plugin – Restrict Content for WordPress in all versions up to and including 3.2.20. The issue stems from the `rcp_setup_registration_init()` function, which accepts any membership level ID through the `rcp_level` POST parameter without verifying whether the level is active or requires payment. This flaw combines with the `add_user_role()` method, which assigns the configured WordPress role for the membership level without performing status checks, enabling unauthorized role assignments.

Unauthenticated attackers can exploit this vulnerability over the network by submitting a registration request with a manipulated `rcp_level` POST parameter specifying any desired membership level. This allows them to self-register for inactive levels that grant privileged WordPress roles, such as Administrator, or paid levels that normally require a sign-up fee, without any validation or payment. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high impact on confidentiality, integrity, and availability, linked to CWE-862 (Missing Authorization).

The vulnerability was partially patched in version 3.2.18, though versions up to 3.2.20 remain affected. References point to specific code locations in the plugin's source, including `class-rcp-registration.php` at line 107, `class-rcp-membership.php` at line 1939, and `registration-functions.php` at lines 1191 and 1203 in tag 3.2.15, along with changeset 3447187, which likely details the partial fix. Security practitioners should urge immediate updates to the latest plugin version and review membership level configurations to ensure no inactive privileged levels exist.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without…

more

validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles such as Administrator, or paid levels that charge a sign-up fee. The vulnerability was partially patched in version 3.2.18.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables privilege escalation to administrator roles via manipulated registration without authorization checks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2110Shared CWE-862
CVE-2026-39432Shared CWE-862
CVE-2026-22683Shared CWE-862
CVE-2022-45830Shared CWE-862
CVE-2025-6754Shared CWE-862
CVE-2026-2001Shared CWE-862
CVE-2025-15041Shared CWE-862
CVE-2025-13313Shared CWE-862
CVE-2026-41454Shared CWE-862
CVE-2025-2266Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the identified flaw in the plugin's registration function through patching or replacement.

prevent

Enforces missing authorization checks on the rcp_level parameter and role assignment to prevent unauthenticated privilege escalation.

prevent

Requires validation of the rcp_level POST input to ensure the membership level is active and payment-required before processing registration.

References