WordPress Plugin Vulnerabilities

Membership Plugin – Restrict Content < 3.2.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Invoice Settings

Description

The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
restrict-content
Fixed in 3.2.19

References

CVE
CVE-2026-1304
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cdd563b7-a1b9-4d99-9a6e-c8acf9dda619

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Miguel Santareno
Verified
No
WPVDB ID
b3268337-d768-4193-b4c2-911b8a175a4c

Timeline

Publicly Published
2026-02-17 (about 2 months ago)
Added
2026-02-17 (about 2 months ago)
Last Updated
2026-02-18 (about 2 months ago)

Other

Published
Title
Published
2026-01-13
Title
Makesweat <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Setting
Published
2024-03-29
Title
Aesop Story Engine <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
SWFUpload - Cross-Site Scripting (XSS)
Published
2024-02-19
Title
Link Library < 7.6.1 - Unauthenticated Stored Cross-Site Scripting
Published
2024-11-01
Title
Knowledge Base < 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting