CVE-2026-4056
User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Content Access Rule Manipulation
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access.
| CWE | CWE-862 |
| Vendor | wpeverest |
| Product | user registration & membership – free & paid memberships, subscriptions, content restriction, user profile, custom user registration & login builder |
| Published | Mar 23, 2026 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for wpeverest user registration & membership – free & paid memberships, subscriptions, content restriction, user profile, custom user registration & login builder
Be the first to know when new medium vulnerabilities affecting wpeverest user registration & membership – free & paid memberships, subscriptions, content restriction, user profile, custom user registration & login builder are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N