CVE-2026-1321 describes a missing authorization vulnerability in the Membership Plugin – Restrict Content for WordPress. The vulnerability arises because the function `rcp_setup_registration_init()` accepts a membership level ID via the `rcp_level` POST parameter without validating whether the membership level is active or requires payment. The plugin then assigns WordPress roles based on this membership level using the `add_user_role()` method without verifying the status of the level. This flaw allows unauthenticated attackers to register with any membership level, including inactive levels that may grant high-privilege roles like Administrator or paid levels that normally require a sign-up fee. Although a partial fix was applied in version 3.2.18, versions up to 3.2.20 remain vulnerable. The CVSS v3.1 score is 8.1, indicating a high severity vulnerability with network attack vector, high impact on confidentiality, integrity, and availability, and no privileges or user interaction required.

Successful exploitation allows unauthenticated attackers to escalate privileges by registering with arbitrary membership levels, including those granting administrative roles. This can lead to full compromise of the WordPress site, including unauthorized access, modification, and disruption of site content and functionality. The vulnerability affects all versions up to and including 3.2.20, despite a partial patch in 3.2.18. No known exploits in the wild have been reported as of the published date.

Patch status is not yet confirmed — no official patch links are provided in the available data. Users should check the vendor advisory for current remediation guidance. Since a partial patch was introduced in version 3.2.18 but versions up to 3.2.20 remain vulnerable, upgrading to a version beyond 3.2.20 if available or applying vendor-recommended fixes is advised. Until an official fix is confirmed, restricting access to the registration endpoint or disabling the plugin may reduce risk.