Attack Vectors

CVE-2026-4136 is a Medium-severity unvalidated redirect vulnerability affecting the Membership Plugin – Restrict Content WordPress plugin (slug: restrict-content) in all versions up to and including 3.2.24. The issue can be triggered during the password reset flow via the rcp_redirect parameter.

An unauthenticated attacker cannot directly take over an account with this issue alone, but they can potentially redirect a user who is interacting with a password reset email to a site the attacker controls—if the attacker can successfully trick the user into clicking or completing an action in that flow. This makes the vulnerability most relevant to phishing and brand trust risk.

Security Weakness

The core weakness is insufficient validation of a redirect URL supplied through the rcp_redirect parameter. In practice, this means the plugin may allow a user to be sent to an external destination that was not intended by your business when completing password reset-related steps.

The vulnerability is scored CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The “UI:R” component is important from a business perspective: user interaction is required, so the realistic risk often shows up as a social engineering and conversion/brand problem rather than an immediate system outage.

Technical or Business Impacts

Phishing enablement and brand damage: Password reset emails are high-trust moments. If a user is redirected to a lookalike page, they may believe it is part of your legitimate process—potentially leading to credential harvesting or payment fraud outside your site.

Increased support and customer churn: Users who experience suspicious redirects during password recovery often assume the business has been compromised. This can increase help-desk load, reduce renewals, and harm customer lifetime value.

Compliance and incident reporting pressure: Even when the site itself is not breached, a phishing incident tied to your domain and password reset process can trigger internal escalation, legal review, and customer communications—especially if it impacts regulated audiences or contractual security obligations.

Remediation: Update Membership Plugin – Restrict Content to version 3.2.25 or a newer patched version to address CVE-2026-4136. Track the CVE record here: https://www.cve.org/CVERecord?id=CVE-2026-4136.

Similar Attacks

Unvalidated redirects are frequently used as a stepping stone in phishing because they leverage a trusted starting point (your domain or a known workflow) to move a user to an attacker-controlled destination. A documented example of a similar open redirect vulnerability is CVE-2018-11759 (Apache Tomcat Open Redirect), which illustrates how redirect handling issues can be abused to support social engineering campaigns.

For the vendor advisory and additional context on this specific issue, see the source disclosure: Wordfence vulnerability entry.