Description
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing authenticated users to inject and execute arbitrary scripts in user profile fields
Action: Apply Patch
AI Analysis

Impact

The WP‑Members Membership Plugin suffers from insufficient input sanitization and output escaping in its multiple checkbox and multiple select profile fields. This flaw permits a user with the Subscriber role or higher to store malicious JavaScript content that will run whenever another user views a page that displays the profile data. The injected scripts can steal cookies, hijack sessions, impersonate users, or deface content, affecting confidentiality, integrity, and trust of the site. The vulnerability is a classic stored XSS, rated CWE‑79.

Affected Systems

All installations of the WP‑Members Membership Plugin version 3.5.4.3 and earlier (including all minor releases up to that point) are affected. The plugin must be installed on a WordPress site where users with Subscriber role or higher have the ability to edit profile fields. Only the plugin is impacted; other WordPress components remain unaffected.

Risk and Exploitability

The CVSS score of 5.4 signals a moderate severity while the EPSS of less than 1% indicates a low probability of exploitation in the short term. The flaw is not listed in the CISA KEV catalog. Attackers must first authenticate to the WordPress site, then use the profile editing interface to add malicious payloads to the multi‑select or checkbox fields. No additional privileges or external access vectors are required beyond the existing role permissions, making the vulnerability feasible for legitimate site subscribers.

Generated by OpenCVE AI on April 21, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest WP‑Members plugin release (3.5.5 or later) which contains proper input sanitization and output escaping for custom profile fields.
  • If an upgrade is not immediately possible, restrict or remove the custom multiple checkbox and multiple select fields from Subscriber and lower roles to prevent injected content from being stored.
  • Consider disabling the profile editing feature for all but trusted administrators or implementing an additional input validation layer such as a web application firewall to block known XSS payloads.

Generated by OpenCVE AI on April 21, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Butlerblog
Butlerblog wp-members
CPEs cpe:2.3:a:cbutlerjr:wp-members_membership_plugin:*:*:*:*:*:wordpress:*:* cpe:2.3:a:butlerblog:wp-members:*:*:*:*:*:wordpress:*:*
Vendors & Products Cbutlerjr
Cbutlerjr wp-members Membership Plugin
Butlerblog
Butlerblog wp-members

Fri, 23 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Cbutlerjr
Cbutlerjr wp-members Membership Plugin
CPEs cpe:2.3:a:cbutlerjr:wp-members_membership_plugin:*:*:*:*:*:wordpress:*:*
Vendors & Products Cbutlerjr
Cbutlerjr wp-members Membership Plugin

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 15 Jan 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Butlerblog Wp-members
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:34.094Z

Reserved: 2025-12-10T13:56:57.548Z

Link: CVE-2025-14448

cve-icon Vulnrichment

Updated: 2026-01-15T14:47:46.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T06:16:05.610

Modified: 2026-02-24T18:47:57.383

Link: CVE-2025-14448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses