Skip to main content

Members Plugin CVE-2026-12426

| EUVDEUVD-2026-43125 MEDIUM
Information Exposure (CWE-200)
2026-07-11 Wordfence GHSA-5xr4-65q6-7jp8
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

REST API endpoint is network-accessible with no authentication required; confidentiality impact is low because only metadata and inferred keywords are exposed, not post content directly.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 03:51 vuln.today
CVE Published
Jul 11, 2026 - 02:31 cve.org
MEDIUM 5.3

DescriptionCVE.org

The Members - Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.

AnalysisAI

Sensitive information exposure in the Members - Membership & User Role Editor Plugin for WordPress (all versions through 3.2.22) allows unauthenticated network attackers to exploit the REST API filter members_filter_protected_posts_for_rest as a boolean oracle, revealing the existence, count, and inferred keyword content of posts explicitly restricted by membership rules. The mechanism abuses per-page pagination parameters to observe response count changes, enabling iterative inference of hidden post content without ever receiving the post body directly. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Members plugin
Delivery
Query REST API posts endpoint unauthenticated
Exploit
Vary per_page and search parameters
Execution
Observe result count as boolean oracle signal
Persist
Iterate keyword guesses to detect content matches
Impact
Reconstruct restricted post existence, count, and keyword content

Vulnerability AssessmentAI

Exploitation The WordPress REST API must be accessible to unauthenticated users, which is the default configuration for all standard WordPress installations - no special setup is required beyond installing and activating the Members plugin, which registers the `members_filter_protected_posts_for_rest` filter automatically on activation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) reflects an accurate but incomplete picture of risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends iterative REST API requests to `/?rest_route=/wp/v2/posts` on a target WordPress site with the Members plugin active, varying the `per_page` parameter alongside keyword search terms to observe how the returned post count changes. By systematically guessing likely keywords - product names, personal identifiers, medical terms, or payment details - and noting count fluctuations as a boolean signal, the attacker maps which terms appear in restricted posts, progressively reconstructing sensitive content without ever receiving a post body. …
Remediation Update the Members plugin to a version above 3.2.22 as soon as a released patched version is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy