CVE-2026-1304
Membership Plugin – Restrict Content <= 3.2.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via Invoice Settings
CVSS Score
4.4
EPSS Score
0.1%
EPSS Percentile
21th
The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
| CWE | CWE-79 |
| Vendor | stellarwp |
| Product | membership plugin – restrict content |
| Published | Feb 18, 2026 |
| Last Updated | Feb 18, 2026 |
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
stellarwp / Membership Plugin – Restrict Content
* ≤ 3.2.18
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/cdd563b7-a1b9-4d99-9a6e-c8acf9dda619?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L896 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L905 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L914 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L923 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L932 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L941 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L950 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L971 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/templates/invoice.php#L271 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/templates/invoice.php#L281 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448964%40restrict-content&new=3448964%40restrict-content&sfp_email=&sfph_mail=
Credits
Miguel Santareno