CVE-2026-4136

Published: Mar 20, 2026 Last Modified: Mar 20, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 4,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: unchanged

Confidentiality: none

Integrity: low

Availability: none

Description

AI Translation Available

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.

640

Weak Password Recovery Mechanism for Forgotten Password

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Availability Integrity Other

Potential Impacts:

Gain Privileges Or Assume Identity Dos: Resource Consumption (Other) Other

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://plugins.trac.wordpress.org/browser/restrict-content…

https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.24/core/in…

https://plugins.trac.wordpress.org/changeset/3486071/restri…

https://plugins.trac.wordpress.org/changeset/3486071/restrict-content

https://www.wordfence.com/threat-intel/vulnerabilities/id/e…

https://www.wordfence.com/threat-intel/vulnerabilities/id/e4cf42d3-9864-440b-83…

CVE-2026-4136

Description

Weak Password Recovery Mechanism for Forgotten Password

Common Consequences

Applicable Platforms

Iscriviti alla newsletter