Sensitive Information Exposure in Membership & User Role Editor Plugin for WordPress
CVE-2026-12426

5.3MEDIUM

What is CVE-2026-12426?

The Members – Membership & User Role Editor Plugin for WordPress contains a vulnerability that allows unauthenticated attackers to access sensitive information. This flaw, present in all versions up to and including 3.2.22, pertains to the 'members_filter_protected_posts_for_rest' functionality. Attackers can leverage this vulnerability to ascertain the presence and count of access-restricted posts. Furthermore, by utilizing per-page pagination, they can infer keywords and content within those hidden posts, potentially compromising the security and privacy of the information intended to be protected.

Affected Version(s)

Members – Membership & User Role Editor Plugin 0 <= 3.2.22

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Huazu Jiang (anjhz0318)
.