Skip to main content

Restrict Content CVE-2026-32546

| EUVDEUVD-2026-15925 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-p2jw-wg96-jv3g
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15925
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in StellarWP Restrict Content restrict-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Content: from n/a through <= 3.2.22.

AnalysisAI

StellarWP Restrict Content plugin versions 3.2.22 and earlier contain an authorization bypass that allows unauthenticated attackers to modify access control settings through improper validation of security levels. An attacker can leverage this vulnerability to escalate privileges or grant unauthorized content access to restricted resources. No patch is currently available.

Technical ContextAI

The vulnerability resides in the StellarWP Restrict Content WordPress plugin (cpe:2.3:a:stellarwp:restrict_content:*:*:*:*:*:*:*:*), which implements access control mechanisms to restrict content visibility based on user authentication and subscription levels. The root cause is classified under CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before granting access to protected content. This type of vulnerability typically stems from flawed authorization logic where access control checks are either missing entirely, bypassable through parameter manipulation, or inconsistently applied across different content access points. The plugin's handling of access control security levels contains configuration or enforcement gaps that allow unauthenticated or lower-privileged users to circumvent intended restrictions.

RemediationAI

Upgrade StellarWP Restrict Content to a patched version greater than 3.2.22 immediately. Consult the Patchstack vulnerability report at https://patchstack.com/database/Wordpress/Plugin/restrict-content/vulnerability/wordpress-restrict-content-plugin-3-2-22-broken-access-control-vulnerability?_s_id=cve for patch availability and release details. As an interim mitigation before patching is possible, implement Web Application Firewall (WAF) rules to detect and block suspicious access patterns to restricted content endpoints, restrict plugin functionality through WordPress role-based access controls to limit administrative changes, and audit existing access logs for evidence of unauthorized content access. Additionally, review and manually verify that content restriction rules are properly enforced at the application level and consider temporarily disabling the plugin if the patch is unavailable and content protection is business-critical.

Share

CVE-2026-32546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy