Home

Description

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access.

PUBLISHED Reserved 2026-03-12 | Published 2026-03-23 | Updated 2026-04-08 | Assigner Wordfence




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-03-12:Vendor Notified
2026-03-23:Disclosed

Credits

darkestmode finder

References

www.wordfence.com/...-9644-4850-a5f9-7c925af000c8?source=cve

plugins.trac.wordpress.org/...-urcr-content-access-rules.php

plugins.trac.wordpress.org/...-urcr-content-access-rules.php

plugins.trac.wordpress.org/...-urcr-content-access-rules.php

cve.org (CVE-2026-4056)

nvd.nist.gov (CVE-2026-4056)

Download JSON