CVE-2026-1304 in Membership Plugin
Summary
by MITRE • 02/18/2026
The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/18/2026
The membership plugin for wordpress represents a critical component in many web applications that manage user access control and subscription-based content delivery. This particular plugin version 3.2.18 and earlier contains a stored cross-site scripting vulnerability that directly impacts the security posture of wordpress installations relying on this functionality. The vulnerability stems from inadequate input sanitization mechanisms within the plugin's invoice settings configuration fields, creating an exploitable condition that allows malicious actors with administrative privileges to persist malicious code within the application's data storage.
The technical flaw manifests in the plugin's failure to properly sanitize user inputs when processing invoice-related configuration parameters. This insufficient sanitization combined with inadequate output escaping creates a persistent xss vector where attacker-controlled scripts can be stored in the database and subsequently executed whenever legitimate users access pages containing the compromised data. The vulnerability specifically affects multiple invoice settings fields, suggesting a systemic issue within the plugin's data handling architecture rather than isolated input validation failures. This stored nature of the vulnerability means that the malicious payload remains active even after the initial injection, continuously affecting any user who encounters the compromised content during normal application operation.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with elevated privileges to manipulate the application's behavior and potentially escalate their access within the wordpress environment. An authenticated attacker with administrator-level permissions can inject malicious javascript code that executes in the context of other users' browsers, potentially leading to session hijacking, data theft, or further compromise of the affected wordpress installation. The vulnerability's persistence through database storage means that the injected scripts will execute whenever any user accesses pages containing the compromised invoice settings, making it particularly dangerous for high-traffic sites where many users might encounter the malicious content.
Security practitioners should recognize this vulnerability as a direct violation of secure coding practices outlined in the cwe dictionary under cwe-79 which addresses cross-site scripting flaws. The attack surface aligns with techniques described in the mitre att&ck framework within the execution and privilege escalation domains, where adversaries leverage application-level vulnerabilities to establish persistent access. Organizations should immediately implement mitigations including upgrading to patched versions of the plugin, implementing additional input validation measures, and conducting comprehensive security assessments of all installed wordpress plugins. The vulnerability also highlights the importance of proper output escaping and input sanitization in web applications, particularly those handling user-generated configuration data, and demonstrates the critical need for regular security updates and vulnerability management processes in wordpress environments.