WordPress Membership Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in the Membership Plugin - Restrict Content for WordPress, affecting all versions up to and including 3.2.20. The issue arises because the 'rcp_setup_registration_init()' function allows any membership level ID to be submitted via the 'rcp_level' POST parameter without proper validation. This includes inactive levels that provide elevated WordPress roles, such as Administrator, or paid levels that require a sign-up fee. The vulnerability can be exploited by unauthenticated users to register for any membership level, including those with administrative privileges.

Impact

Exploitation of this vulnerability allows unauthenticated users to register for any membership level, including those that grant administrative privileges on WordPress sites.

Reproduction

To reproduce this vulnerability, send a POST request to the registration endpoint with the 'rcp_level' parameter set to an arbitrary membership level ID. Bypass any validation checks for active levels or payment requirements. If the selected level is inactive but offers a role like Administrator, or if it is a paid level, the registration will be processed accordingly.

Remediation

Users can update to version 3.2.21 or later, where this vulnerability has been addressed.