CVE-2026-1321 – This vulnerability in the WordPress Restrict Co... (How to Fix)

Q: What is the severity of CVE-2026-1321?

CVE-2026-1321 has a CVSS score of 8.1 (HIGH). This vulnerability in the WordPress Restrict Content plugin allows unauthenticated attackers to register with any membership level, including inactive or paid levels that grant privileged WordPress roles like Administrator. All WordPress sites using the plugin up to version 3.2.20 are affected, enabling privilege escalation without payment or authorization.

📋 TL;DR

This vulnerability in the WordPress Restrict Content plugin allows unauthenticated attackers to register with any membership level, including inactive or paid levels that grant privileged WordPress roles like Administrator. All WordPress sites using the plugin up to version 3.2.20 are affected, enabling privilege escalation without payment or authorization.

💻 Affected Systems

Products:

WordPress Restrict Content (Membership Plugin)

Versions: All versions up to and including 3.2.20

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain Administrator access to WordPress sites, enabling complete site takeover, data theft, malware installation, and further network compromise.

🟠

Likely Case

Attackers create administrative accounts to deface websites, steal sensitive data, or install backdoors for persistent access.

🟢

If Mitigated

With proper monitoring and access controls, unauthorized admin accounts are detected and removed before significant damage occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted POST requests to registration endpoints with malicious rcp_level parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.21 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3447187/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Restrict Content' plugin. 4. Click 'Update Now' if available, or manually update to version 3.2.21+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Restrict Content plugin until patched.

wp plugin deactivate restrict-content

Block Registration Endpoints

linux

Use web application firewall or .htaccess to block access to vulnerable registration endpoints.

# Add to .htaccess:
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/restrict-content/.*\.php$
RewriteRule ^ - [F,L]

🧯 If You Can't Patch

Implement strict monitoring for new user registrations and role changes
Enable multi-factor authentication for all administrative accounts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Restrict Content version. If version is 3.2.20 or lower, you are vulnerable.

Check Version:

wp plugin get restrict-content --field=version

Verify Fix Applied:

Verify plugin version is 3.2.21 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual user registrations with administrative roles
POST requests to /wp-content/plugins/restrict-content/ with rcp_level parameter
Multiple failed registration attempts with varying level IDs

Network Indicators:

HTTP POST requests to registration endpoints with crafted rcp_level values
Traffic spikes to WordPress registration pages

SIEM Query:

source="wordpress" AND (event="user_registered" AND user_role="administrator") OR (uri_path="/wp-content/plugins/restrict-content/" AND http_method="POST" AND parameters CONTAINS "rcp_level=")

📊 Metadata

CVE ID: CVE-2026-1321

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: March 5, 2026

Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1321, you might also want to check these: