Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in StellarWP Restrict Content restrict-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Content: from n/a through <= 3.2.22.
AnalysisAI
StellarWP Restrict Content plugin versions 3.2.22 and earlier contain an authorization bypass that allows unauthenticated attackers to modify access control settings through improper validation of security levels. An attacker can leverage this vulnerability to escalate privileges or grant unauthorized content access to restricted resources. No patch is currently available.
Technical ContextAI
The vulnerability resides in the StellarWP Restrict Content WordPress plugin (cpe:2.3:a:stellarwp:restrict_content:*:*:*:*:*:*:*:*), which implements access control mechanisms to restrict content visibility based on user authentication and subscription levels. The root cause is classified under CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before granting access to protected content. This type of vulnerability typically stems from flawed authorization logic where access control checks are either missing entirely, bypassable through parameter manipulation, or inconsistently applied across different content access points. The plugin's handling of access control security levels contains configuration or enforcement gaps that allow unauthenticated or lower-privileged users to circumvent intended restrictions.
RemediationAI
Upgrade StellarWP Restrict Content to a patched version greater than 3.2.22 immediately. Consult the Patchstack vulnerability report at https://patchstack.com/database/Wordpress/Plugin/restrict-content/vulnerability/wordpress-restrict-content-plugin-3-2-22-broken-access-control-vulnerability?_s_id=cve for patch availability and release details. As an interim mitigation before patching is possible, implement Web Application Firewall (WAF) rules to detect and block suspicious access patterns to restricted content endpoints, restrict plugin functionality through WordPress role-based access controls to limit administrative changes, and audit existing access logs for evidence of unauthorized content access. Additionally, review and manually verify that content restriction rules are properly enforced at the application level and consider temporarily disabling the plugin if the patch is unavailable and content protection is business-critical.
More in Restrict Content
View allThe Membership WordPress plugin before 3.2.3 does not sanitise and escape a parameter before outputting it back in the p
Restrict Content versions up to 3.2.16 is affected by authorization bypass through user-controlled key (CVSS 8.2).
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StellarWP Membership Plugin - Restrict Conte
The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all ver
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15925
GHSA-p2jw-wg96-jv3g