CVE-2026-1321

Name of the Vulnerable Software and Affected Versions Restrict Content versions prior to 3.2.21

Description The Restrict Content plugin for WordPress has a flaw that allows unauthorized privilege escalation. The rcp setup registration init() function improperly handles the rcp level POST parameter, failing to verify membership level activity or payment requirements. This, combined with the add user role() method, enables attackers to register with any membership level, potentially gaining privileged WordPress roles like Administrator, or triggering charges for paid levels. A partial fix was implemented in version 3.2.18, but the issue persisted up to and including version 3.2.20.

Recommendations Update to version 3.2.21 or later.