Description
The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.
Published: 2026-01-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Information Exposure through file access
Action: Patch Immediately
AI Analysis

Impact

The WP‑Members Membership Plugin stores uploaded files in predictable directories without adequate access controls. This flaw allows anyone who can guess a user ID or file name to download private documents via direct URL, leading to potential confidentiality compromise. The underlying weakness is a file‑system-based access control error, classified as CWE‑552.

Affected Systems

The vulnerability affects the WP‑Members Membership Plugin developed by cbutlerjr, versions up to and including 3.5.4.4, which is a WordPress plugin used on websites that rely on user‑generated content uploads.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS reflected as < 1 %, the risk and exploitation likelihood are moderate but not high. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it without authentication by constructing URL paths that follow the predictable storage pattern wp‑content/uploads/wpmembers/user_files/<user_id>/, provided they can enumerate or guess the required identifiers.

Generated by OpenCVE AI on April 21, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP‑Members Membership Plugin to a version newer than 3.5.4.4 once it becomes available from the vendor.
  • Configure the web server or the plugin settings to prevent public access to the wp‑content/uploads/wpmembers/user_files directory, for example by adding a .htaccess rule that denies all access or limits it to authenticated users.
  • Limit file upload permissions on the target WordPress installation and regularly audit the contents of the upload directory to detect any suspicious or unintended public files.

Generated by OpenCVE AI on April 21, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.
Title WP-Members Membership Plugin <= 3.5.4.4 - Unauthenticated Information Exposure via Unprotected Files
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:30.805Z

Reserved: 2025-11-03T20:06:09.217Z

Link: CVE-2025-12648

cve-icon Vulnrichment

Updated: 2026-01-07T14:53:31.572Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:47.120

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses