CVE-2026-1321

CVE-2026-1321 is a privilege escalation vulnerability affecting the Membership Plugin – Restrict Content for WordPress in all versions up to and including 3.2.20. The issue stems from the `rcp_setup_registration_init()` function, which accepts any membership level ID through the `rcp_level` POST parameter without verifying whether the level is active or requires payment. This flaw combines with the `add_user_role()` method, which assigns the configured WordPress role for the membership level without performing status checks, enabling unauthorized role assignments.

Unauthenticated attackers can exploit this vulnerability over the network by submitting a registration request with a manipulated `rcp_level` POST parameter specifying any desired membership level. This allows them to self-register for inactive levels that grant privileged WordPress roles, such as Administrator, or paid levels that normally require a sign-up fee, without any validation or payment. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high impact on confidentiality, integrity, and availability, linked to CWE-862 (Missing Authorization).

The vulnerability was partially patched in version 3.2.18, though versions up to 3.2.20 remain affected. References point to specific code locations in the plugin's source, including `class-rcp-registration.php` at line 107, `class-rcp-membership.php` at line 1939, and `registration-functions.php` at lines 1191 and 1203 in tag 3.2.15, along with changeset 3447187, which likely details the partial fix. Security practitioners should urge immediate updates to the latest plugin version and review membership level configurations to ensure no inactive privileged levels exist.