Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel

2026-07-10 14:07
Huazu Jiang (anjhz0318)

Strategic Overview

Status
Patched in 3.2.23
Affected Version<= 3.2.22
CVSS5.3Medium
CVECVE-2026-12426
View all Members – Membership & User Role Editor Plugin vulnerabilities

Vulnerability Overview

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.

Technical Analysis

REMEDIATION: Update to version 3.2.23, or a newer patched version --- IDENTIFIER: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C

Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel (CVE-2026-12426)