Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
REST API endpoint is network-accessible with no authentication required; confidentiality impact is low because only metadata and inferred keywords are exposed, not post content directly.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Members - Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.
AnalysisAI
Sensitive information exposure in the Members - Membership & User Role Editor Plugin for WordPress (all versions through 3.2.22) allows unauthenticated network attackers to exploit the REST API filter members_filter_protected_posts_for_rest as a boolean oracle, revealing the existence, count, and inferred keyword content of posts explicitly restricted by membership rules. The mechanism abuses per-page pagination parameters to observe response count changes, enabling iterative inference of hidden post content without ever receiving the post body directly. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The WordPress REST API must be accessible to unauthenticated users, which is the default configuration for all standard WordPress installations - no special setup is required beyond installing and activating the Members plugin, which registers the `members_filter_protected_posts_for_rest` filter automatically on activation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) reflects an accurate but incomplete picture of risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends iterative REST API requests to `/?rest_route=/wp/v2/posts` on a target WordPress site with the Members plugin active, varying the `per_page` parameter alongside keyword search terms to observe how the returned post count changes. By systematically guessing likely keywords - product names, personal identifiers, medical terms, or payment details - and noting count fluctuations as a boolean signal, the attacker maps which terms appear in restricted posts, progressively reconstructing sensitive content without ever receiving a post body. … |
| Remediation | Update the Members plugin to a version above 3.2.22 as soon as a released patched version is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43125
GHSA-5xr4-65q6-7jp8