Platform
wordpress
Component
user-registration
Fixed in
5.1.5
CVE-2026-4056 affects the User Registration & Membership plugin for WordPress versions 5.0.1 through 5.1.4. This vulnerability allows authenticated attackers with Contributor-level access or higher to modify site-wide content restriction rules. The impact is the potential exposure of restricted content or denial of access to legitimate users. The vulnerability is resolved in version 5.1.5.
The core of the issue lies in a missing capability check within the Content Access Rules REST API endpoints. The checkpermissions() method incorrectly verifies only for editposts capability, rather than requiring administrator-level privileges. This oversight allows authenticated users with Contributor access or greater to perform actions such as listing, creating, modifying, toggling, duplicating, and deleting content restriction rules. An attacker could leverage this to expose content intended for specific user groups or administrators, or to completely block access to critical areas of the website. This could lead to data breaches, disruption of service, and potential reputational damage. The ease of exploitation, given the prevalence of WordPress and the common existence of users with Contributor roles, increases the potential for widespread compromise.
CVE-2026-4056 was publicly disclosed on March 23, 2026. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation, but the vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the User Registration & Membership plugin to version 5.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the Content Access Rules REST API endpoints. This can be achieved through WordPress’s built-in role management features, ensuring that only administrators have the necessary permissions. Additionally, review existing content restriction rules for any anomalies or unauthorized modifications. For enhanced security, consider implementing a Web Application Firewall (WAF) with rules to block suspicious requests targeting these endpoints. Detection can be achieved by monitoring WordPress logs for unusual activity related to content restriction rule modifications by non-administrator users.
Update to version 5.1.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4056 is a medium-severity vulnerability in the WordPress User Registration & Membership plugin (versions 5.0.1–5.1.4) allowing authenticated users with Contributor access to modify content restriction rules.
You are affected if you are using WordPress User Registration & Membership plugin versions 5.0.1 through 5.1.4. Upgrade to 5.1.5 or later to mitigate the risk.
Upgrade the User Registration & Membership plugin to version 5.1.5 or later. As a temporary workaround, restrict access to the Content Access Rules REST API endpoints to administrators only.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2026-4056, but the ease of exploitation warrants vigilance.
Refer to the WordPress security advisory for CVE-2026-4056 on the WordPress.org website for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.