Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel
Strategic Overview
<= 3.2.22CVE-2026-12426Vulnerability Overview
The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.
Technical Analysis
REMEDIATION: Update to version 3.2.23, or a newer patched version --- IDENTIFIER: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
External References
Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C