CVE-2026-32546
Missing Authorization in StellarWP Restrict Content Plugin
Publication date: 2026-03-25
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stellarwp | restrict_content | to 3.2.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Missing Authorization issue in the StellarWP Restrict Content plugin. It occurs due to incorrectly configured access control security levels, which means that the plugin does not properly restrict access to certain content or features.
How can this vulnerability impact me? :
The impact of this vulnerability is that unauthorized users may gain access to restricted content or features that should be protected. This could lead to exposure of sensitive information or unauthorized actions within the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-32546 is a broken access control vulnerability that allows unauthorized users to perform actions requiring higher privileges in the WordPress Restrict Content Plugin. Such unauthorized access could potentially lead to exposure or modification of protected content or data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that require strict access controls and protection of sensitive data, such as GDPR and HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves broken access control in the WordPress Restrict Content Plugin versions up to and including 3.2.22, allowing unauthorized privilege escalation due to missing authorization checks.
Detection typically involves verifying the plugin version installed on your WordPress site to see if it is vulnerable (version β€ 3.2.22).
You can check the plugin version by running commands on your server such as:
- Using WP-CLI: wp plugin list | grep restrict-content
- Manually checking the plugin version in the plugin's main PHP file, e.g., cat wp-content/plugins/restrict-content/restrict-content.php | grep 'Version'
Additionally, monitoring for unusual privilege escalation attempts or unauthorized actions in your WordPress logs may help detect exploitation attempts, but no specific detection commands or signatures are provided.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the WordPress Restrict Content Plugin to version 3.2.23 or later, which contains the patch that fixes this broken access control vulnerability.
If you use Patchstack, enabling auto-updates specifically for vulnerable plugins can ensure rapid protection against this and similar vulnerabilities.
Since the vulnerability is due to missing authorization checks, avoid using or exposing vulnerable plugin versions until patched.