CVE-2026-1304
Stored XSS in Membership Plugin Invoice Fields Allows Admin Script Injection
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| restrict_content_pro | restrict_content_pro | to 3.2.18 (inc) |
| restrict_content_pro | restrict_content_pro | 3.2.19 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Membership Plugin β Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via multiple invoice settings fields in all versions up to and including 3.2.18. This vulnerability arises because the plugin does not properly sanitize input or escape output in these fields.
An authenticated attacker with administrator-level access or higher can inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the injected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrator-level access to inject malicious scripts that execute in the context of the website for any user who views the affected pages.
- Execution of arbitrary JavaScript can lead to theft of user credentials or session cookies.
- Malicious scripts could perform actions on behalf of users without their consent.
- It could lead to defacement of the website or redirection to malicious sites.
- Overall, it compromises the security and trustworthiness of the website.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves Stored Cross-Site Scripting (XSS) via multiple invoice settings fields in the Membership Plugin β Restrict Content for WordPress. Detection would typically involve inspecting the invoice-related fields for injected scripts.
Since the vulnerability requires authenticated attackers with administrator-level access to inject scripts, detection on the network level is challenging. Instead, detection should focus on reviewing the content of invoice fields in the WordPress admin interface or database for suspicious script tags or payloads.
No specific commands or automated detection tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the Membership Plugin β Restrict Content for WordPress up to and including 3.2.18. The immediate mitigation step is to update the plugin to version 3.2.19 or later, where sanitization and escaping improvements have been applied.
The update includes enhanced sanitization and escaping of inputs and outputs in the admin settings interface, which addresses the root cause of the Stored Cross-Site Scripting vulnerability.
Additionally, restrict administrator-level access to trusted users only, as exploitation requires authenticated admin privileges.