Description
The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.14 via the action parameter in one of its shortcodes. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-11-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary PHP code execution via local file inclusion
Action: Patch Immediate
AI Analysis

Impact

The WPCOM Member plugin for WordPress allows an authenticated user with Contributor-level access or higher to trigger a local file inclusion through the action parameter in a shortcode. This flaw enables the attacker to include and execute arbitrary .php files on the server, providing full code-execution capabilities, bypassing access controls, and exposing sensitive data.

Affected Systems

WordPress sites that have installed the WPCOM Member plugin version 1.7.14 or earlier are affected. Any deployment running a vulnerable version is at risk until it is upgraded. Versions newer than 1.7.14 are considered fixed.

Risk and Exploitability

The CVSS score of 8.8 denotes high severity, yet the EPSS score of less than 1% indicates exploitation opportunities are currently low. The vulnerability is not listed in the CISA KEV catalog, but the impact—full code execution on the host—remains devastating. An attacker with Contributor access can manipulate the shortcode to reference any local .php file, such as uploaded content or core files, achieving remote code execution with minimal effort.

Generated by OpenCVE AI on April 22, 2026 at 12:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPCOM Member plugin to a version newer than 1.7.14.
  • Disable or remove the vulnerable shortcode for all but trusted users, or restrict its use through role-based access controls.
  • Validate the action parameter to accept only whitelisted file paths or extensions, rejecting arbitrary file requests.
  • Consider deploying a web application firewall rule to detect and block LFI attempts targeting the shortcode.

Generated by OpenCVE AI on April 22, 2026 at 12:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 03 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpcom
Wpcom wpcom Member
Vendors & Products Wordpress
Wordpress wordpress
Wpcom
Wpcom wpcom Member

Sat, 01 Nov 2025 02:00:00 +0000

Type Values Removed Values Added
Description The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.14 via the action parameter in one of its shortcodes. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title WPCOM Member <= 1.7.14 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpcom Wpcom Member
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:10.270Z

Reserved: 2025-10-17T16:47:34.805Z

Link: CVE-2025-11920

cve-icon Vulnrichment

Updated: 2025-11-03T18:53:27.350Z

cve-icon NVD

Status : Deferred

Published: 2025-11-01T02:15:33.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses