CVE-2026-4136 Overview
CVE-2026-4136 is an unvalidated redirect vulnerability in the Membership Plugin – Restrict Content for WordPress. The flaw affects all versions up to and including 3.2.24. The plugin fails to validate the rcp_redirect parameter used during the password reset workflow. Unauthenticated attackers can craft password reset links that redirect victims to attacker-controlled domains after interaction. The issue is categorized under CWE-640: Weaker Authentication Recovery Mechanism. Successful exploitation typically requires social engineering to convince a user to follow a tampered reset link.
Critical Impact
Attackers can leverage the password reset flow to redirect WordPress users to phishing or malware hosting sites, enabling credential theft and follow-on account compromise.
Affected Products
- Membership Plugin – Restrict Content for WordPress, versions up to and including 3.2.24
- WordPress sites using the restrict-content plugin with password reset enabled
- Patched in the changeset published at revision 3486071
Discovery Timeline
- 2026-03-20 - CVE-2026-4136 published to the National Vulnerability Database
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4136
Vulnerability Analysis
The Restrict Content plugin exposes an unvalidated redirect within its login and password reset functions. The vulnerable logic resides in core/includes/login-functions.php around line 270 in version 3.2.24. The plugin reads the rcp_redirect request parameter and embeds it in the password reset email or post-action redirect without verifying that the destination belongs to the site's own host. An attacker can append rcp_redirect=https://attacker.example/ to a reset request and have the resulting email or redirect carry that destination. When the victim completes the action, the browser is sent to the attacker-supplied URL. This pattern matches the standard open redirect anti-pattern described in [CWE-640].
Root Cause
The root cause is insufficient input validation on a user-controlled URL parameter. The plugin treats the rcp_redirect value as trusted and does not enforce same-origin checks, an allowlist of internal paths, or use of WordPress helpers such as wp_safe_redirect(). Without these controls, any absolute URL becomes a valid redirect target.
Attack Vector
Exploitation requires no authentication but does require user interaction. An attacker sends a crafted link or initiates a password reset that injects a malicious rcp_redirect value. The user must click the link or complete the reset flow. The destination site can then mimic the WordPress login screen to harvest credentials or deliver malware. Technical details are available in the Wordfence vulnerability report and the upstream changeset.
No verified proof-of-concept code is published. See the vulnerable source reference for the unpatched logic.
Detection Methods for CVE-2026-4136
Indicators of Compromise
- HTTP requests to WordPress endpoints containing an rcp_redirect parameter whose value points to an external domain
- Outbound password reset emails containing reset links with external URLs in the rcp_redirect query string
- User reports of being redirected to unfamiliar login pages after clicking password reset links
Detection Strategies
- Inspect web server access logs for rcp_redirect= values that do not match the site's own hostname or relative paths
- Search outbound mail logs for password reset messages with embedded absolute URLs in the redirect parameter
- Correlate failed WordPress login attempts following password reset activity to identify credential reuse from phishing
Monitoring Recommendations
- Alert on requests to wp-login.php and Restrict Content endpoints containing fully-qualified external URLs in query parameters
- Monitor the installed version of the restrict-content plugin across managed WordPress sites and flag any instance at or below 3.2.24
- Track DNS resolutions and proxy traffic for newly registered domains referenced in password reset URLs
How to Mitigate CVE-2026-4136
Immediate Actions Required
- Update the Membership Plugin – Restrict Content to a version above 3.2.24 that includes the fix from changeset 3486071
- Audit recent password reset activity for redirects pointing to non-site domains
- Notify users who recently completed a password reset and recommend that they verify credentials and rotate passwords if they entered them on an unfamiliar page
Patch Information
The vendor addressed the issue in the Restrict Content changeset 3486071. Administrators should upgrade through the WordPress plugin manager or by deploying the patched release. Confirm the installed version reports higher than 3.2.24 after upgrade.
Workarounds
- If immediate patching is not possible, disable the password reset feature exposed by the plugin until the update is applied
- Deploy a Web Application Firewall (WAF) rule that strips or rejects rcp_redirect parameters whose values are not relative paths or do not match the site's hostname
- Restrict access to the plugin's login and reset endpoints to known IP ranges where feasible
# Example WAF/Nginx rule to block external rcp_redirect values
if ($arg_rcp_redirect ~* "^https?://(?!yoursite\.com)") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
