The Membership Plugin – Restrict Content for WordPress suffers from a missing authorization vulnerability classified as CWE-862. Specifically, the function rcp_setup_registration_init() processes the rcp_level POST parameter, which specifies the membership level during user registration. However, it fails to verify whether the provided membership level ID is active or requires payment. This oversight allows attackers to specify any membership level, including inactive or paid ones, during registration. Subsequently, the add_user_role() method assigns the WordPress role linked to that membership level without validating the membership status. As a result, unauthenticated attackers can escalate privileges by registering accounts with elevated roles such as Administrator. The vulnerability affects all plugin versions up to and including 3.2.20, with a partial patch introduced in 3.2.18 that does not fully remediate the issue. The CVSS 3.1 score of 8.1 reflects a network attack vector with high impact on confidentiality, integrity, and availability, requiring no privileges or user interaction. Although no public exploits are reported, the flaw presents a critical risk for WordPress sites using this plugin, potentially leading to complete site takeover.

This vulnerability enables unauthenticated attackers to gain unauthorized administrative or other privileged access to WordPress sites using the Membership Plugin – Restrict Content. The impact includes full compromise of site confidentiality, integrity, and availability. Attackers can manipulate site content, steal sensitive data, install backdoors, or disrupt services. Since WordPress powers a significant portion of the web, many organizations relying on this plugin for membership management are at risk. The ability to bypass payment requirements also undermines business models relying on paid memberships. The vulnerability's ease of exploitation and the critical roles that can be assigned make it a severe threat to organizations of all sizes, especially those with sensitive or high-value content. The absence of known exploits in the wild provides a window for remediation but should not reduce urgency.

Organizations should immediately update the Membership Plugin – Restrict Content to a version beyond 3.2.20 once a full patch is released. Until then, administrators should implement strict input validation on the rcp_level parameter to ensure only active and authorized membership levels are accepted during registration. Applying web application firewall (WAF) rules to block suspicious POST requests targeting the rcp_level parameter can reduce attack surface. Restricting registration capabilities or disabling self-registration temporarily may be necessary for high-risk environments. Monitoring user registrations for anomalous privilege assignments and auditing membership level configurations can help detect exploitation attempts. Additionally, enforcing the principle of least privilege on WordPress roles and regularly reviewing user accounts will limit potential damage. Coordinating with the plugin vendor for timely patches and following security advisories is critical.