CVE-2026-12426
Received Received - Intake

Sensitive Information Exposure in Members WordPress Plugin

Vulnerability report for CVE-2026-12426, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
members membership_user_role_editor_plugin to 3.2.22 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to infer the existence, count, and potentially content of access-restricted posts, leading to sensitive information exposure.

Such exposure of sensitive information could potentially impact compliance with data protection standards and regulations like GDPR and HIPAA, which require protection of confidential and personal data from unauthorized access.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Executive Summary

The vulnerability exists in the Members – Membership & User Role Editor Plugin for WordPress, affecting all versions up to and including 3.2.22. It allows unauthenticated attackers to exploit the members_filter_protected_posts_for_rest function to determine the existence and exact number of access-restricted posts.

Attackers can use per-page pagination as a boolean oracle to infer keywords and content within those hidden restricted posts, effectively exposing sensitive information that should be protected.

Impact Analysis

This vulnerability can lead to sensitive information exposure by allowing unauthorized users to discover the presence and quantity of restricted content on a WordPress site.

Attackers may infer keywords and content from protected posts, potentially leaking confidential or private data without needing authentication.

Such exposure can compromise the privacy and security of the site's content and its users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12426. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart