Membership Plugin – Restrict Content < 3.2.25 – Unvalidated Redirect in Password Reset Flow | CVE 2026-4136 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Unvalidated Redirect due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.

Affects Plugins

restrict-content

Fixed in 3.2.25

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e4cf42d3-9864-440b-8357-36c82cbef28f

Classification

Type

REDIRECT

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Supakiad S. (m3ez)

Verified

No

WPVDB ID

2a2e29d5-9f68-4529-ac6e-45dbad7f2153

Timeline

Publicly Published

2026-03-19 (about 1 month ago)

Added

2026-03-19 (about 1 month ago)

Last Updated

2026-03-19 (about 1 month ago)

Other

Published

Title

Published

2025-12-15

Title

Directorist < 8.6.7 - Unauthenticated Open Redirect

Published

2020-03-31

Title

WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint

Published

2023-05-11

Title

Frontend Post WordPress Plugin <= 2.8.4 - Contributor+ Arbitrary Redirect

Published

2019-05-18

Title

Newsletter Manager < 1.5 - Unauthenticated Open Redirect

Published

2023-12-27

Title

Advanced Access Manager < 6.9.19 - Open Redirect