The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.
Metrics
Affected Vendors & Products
References
History
Sat, 11 Jul 2026 03:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts. | |
| Title | Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel | |
| Weaknesses | CWE-200 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-11T02:31:18.186Z
Reserved: 2026-06-16T17:04:21.226Z
Link: CVE-2026-12426
No data.
No data.
No data.
OpenCVE Enrichment
No data.