{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1304", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-21T19:02:37.312Z", "datePublished": "2026-02-18T05:29:18.540Z", "dateUpdated": "2026-04-08T17:24:15.096Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:15.096Z"}, "affected": [{"vendor": "stellarwp", "product": "Membership Plugin \u2013 Restrict Content", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.18", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Membership Plugin \u2013 Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Membership Plugin \u2013 Restrict Content <= 3.2.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via Invoice Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cdd563b7-a1b9-4d99-9a6e-c8acf9dda619?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L896"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L905"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L914"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L923"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L932"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L941"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L950"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L971"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/templates/invoice.php#L271"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/templates/invoice.php#L281"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448964%40restrict-content&new=3448964%40restrict-content&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Miguel Santareno"}], "timeline": [{"time": "2026-01-21T19:17:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T17:14:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:11.558229Z", "id": "CVE-2026-1304", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:52:47.695Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1304", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:11.558229Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:12.468Z"}}], "cna": {"title": "Membership Plugin \u2013 Restrict Content <= 3.2.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via Invoice Settings", "credits": [{"lang": "en", "type": "finder", "value": "Miguel Santareno"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "Membership Plugin \u2013 Restrict Content", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.18"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-21T19:17:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T17:14:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cdd563b7-a1b9-4d99-9a6e-c8acf9dda619?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L896"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L905"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L914"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L923"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L932"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L941"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L950"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L971"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/templates/invoice.php#L271"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/templates/invoice.php#L281"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448964%40restrict-content&new=3448964%40restrict-content&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Membership Plugin \u2013 Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:15.096Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1304", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:15.096Z", "dateReserved": "2026-01-21T19:02:37.312Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T05:29:18.540Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Membership Plugin \u2013 Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin de membres\u00eda \u2013 Restrict Content para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de m\u00faltiples campos de configuraci\u00f3n de facturas en todas las versiones hasta la 3.2.18, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel de administrador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1304", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T06:16:34.013", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L896"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L905"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L914"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L923"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L932"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L941"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L950"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/admin/settings/settings.php#L971"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/templates/invoice.php#L271"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/templates/invoice.php#L281"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448964%40restrict-content&new=3448964%40restrict-content&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cdd563b7-a1b9-4d99-9a6e-c8acf9dda619?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.18]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Membership Plugin \u2013 Restrict Content", "source": "cna", "vendor": "stellarwp"}, "product": "membership_plugin_-_restrict_content", "vendor": "stellarwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:19:07.921811+00:00", "value": {"mitigation_remediation": ["Upgrade the Membership Plugin \u2013 Restrict Content to the latest stable release that addresses invoice\u2011field input sanitization.", "While awaiting the update, restrict administrative access to the invoice settings or replace the invoice template with a version that does not echo user\u2011supplied input.", "Deploy a content\u2011security\u2011policy that limits script execution to trusted origins to mitigate the impact of any remaining injected code."], "summary": {"action": "Patch", "impact": "Authenticated Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is StellarWP Membership Plugin \u2013 Restrict Content for WordPress. All released versions up to and including 3.2.18 can be impacted; later releases are not listed as affected.", "description_and_impact": "The Membership Plugin \u2013 Restrict Content contains a stored cross\u2011site scripting flaw in several invoice settings fields. Administrators or higher privileged users can insert arbitrary web script code, which is subsequently rendered in the invoice template and executed when a visitor views the page. The vulnerability is classified as CWE\u201179 and allows injected code to run in the context of the web page.", "risk_and_exploitability": "The impact score is CVSS\u202f4.4, indicating moderate severity. EPSS is below 1\u202f% and the vulnerability is not listed in CISA\u2019s KEV catalog, implying a low current exploitation likelihood. Exploitation requires authenticated access at the Administrator level or higher; the injected script is stored and executed when any user accesses a page that renders the invoice template. The attack vector is therefore authenticated stored XSS."}}}}, "created": "2026-02-18T10:32:44.815614+00:00", "updated": "2026-04-15T18:30:10.936202+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$membership_plugin_-_restrict_content", "wordpress", "wordpress$PRODUCT$wordpress"]}