Plattform
wordpress
Komponente
user-registration
Behoben in
5.1.5
CVE-2026-4056 affects the User Registration & Membership plugin for WordPress versions 5.0.1 through 5.1.4. This vulnerability allows authenticated attackers with Contributor-level access or higher to modify site-wide content restriction rules. The impact is the potential exposure of restricted content or denial of access to legitimate users. The vulnerability is resolved in version 5.1.5.
The core of the issue lies in a missing capability check within the Content Access Rules REST API endpoints. The checkpermissions() method incorrectly verifies only for editposts capability, rather than requiring administrator-level privileges. This oversight allows authenticated users with Contributor access or greater to perform actions such as listing, creating, modifying, toggling, duplicating, and deleting content restriction rules. An attacker could leverage this to expose content intended for specific user groups or administrators, or to completely block access to critical areas of the website. This could lead to data breaches, disruption of service, and potential reputational damage. The ease of exploitation, given the prevalence of WordPress and the common existence of users with Contributor roles, increases the potential for widespread compromise.
CVE-2026-4056 was publicly disclosed on March 23, 2026. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation, but the vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting this vulnerability.
Websites utilizing the User Registration & Membership plugin, particularly those with a large number of users with Contributor or higher roles, are at risk. Shared hosting environments where users have more extensive permissions than typically granted are also particularly vulnerable. Sites relying on content restriction rules for sensitive data or restricted access areas face the highest risk.
• wordpress / plugin:
wp plugin list | grep 'User Registration & Membership'• wordpress / plugin: Check plugin version. If < 5.1.5, the system is vulnerable.
wp plugin version user-registration-and-membership• wordpress / plugin: Examine WordPress access logs for requests to /wp-json/user-registration/v1/rules originating from users with Contributor or lower roles.
• wordpress / plugin: Review WordPress user roles and capabilities to ensure only administrators have access to manage content restriction rules.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the User Registration & Membership plugin to version 5.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the Content Access Rules REST API endpoints. This can be achieved through WordPress’s built-in role management features, ensuring that only administrators have the necessary permissions. Additionally, review existing content restriction rules for any anomalies or unauthorized modifications. For enhanced security, consider implementing a Web Application Firewall (WAF) with rules to block suspicious requests targeting these endpoints. Detection can be achieved by monitoring WordPress logs for unusual activity related to content restriction rule modifications by non-administrator users.
Update to version 5.1.5, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4056 is a medium-severity vulnerability in the WordPress User Registration & Membership plugin (versions 5.0.1–5.1.4) allowing authenticated users with Contributor access to modify content restriction rules.
You are affected if you are using WordPress User Registration & Membership plugin versions 5.0.1 through 5.1.4. Upgrade to 5.1.5 or later to mitigate the risk.
Upgrade the User Registration & Membership plugin to version 5.1.5 or later. As a temporary workaround, restrict access to the Content Access Rules REST API endpoints to administrators only.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2026-4056, but the ease of exploitation warrants vigilance.
Refer to the WordPress security advisory for CVE-2026-4056 on the WordPress.org website for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.