Description
The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘user_phone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-03-14
Score: 7.5 High
EPSS: 24.2% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPCOM Member plugin for WordPress is affected by a time‑based SQL injection flaw that originates from the unchecked user_phone parameter. Because the plugin concatenates this value directly into SQL statements without proper escaping or query preparation, an attacker able to control the value can inject additional SQL clauses. The vulnerability allows unauthenticated users to execute SQL commands that can read or manipulate sensitive information stored in the database. This type of flaw is a classic input‑validation weakness identified as CWE‑89.

Affected Systems

Affected systems include installations of the WPCOM Member plugin on WordPress sites that are running any version up to and including 1.7.6. The plugin version 1.7.6 and earlier expose the user_phone field to injection, regardless of user authentication status. WordPress itself is not directly vulnerable; the issue resides only within the plugin code.

Risk and Exploitability

The CVSS score of 7.5 indicates high impact, and the EPSS rating of 24% suggests a significant exploitation likelihood. The flaw is not listed in CISA KEV, but it is active and can be triggered remotely by supplying a crafted user_phone value in an HTTP request. Attackers can embed time‑delaying expressions to confirm the injection and harvest data without immediate detection.

Generated by OpenCVE AI on May 7, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPCOM Member plugin to a version that contains the SQL injection fix, or apply an official patch if it becomes available.
  • If an update is not immediately available, modify the plugin’s code to escape or bind the user_phone parameter using prepared statements before executing its SQL query.
  • Disable the WPCOM Member plugin or remove it from sites that no longer require its functionality to eliminate the attack surface.

Generated by OpenCVE AI on May 7, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6411 The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘user_phone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00114}

 epss

{'score': 0.00159}

Fri, 21 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpcom
Wpcom wpcom Member
CPEs cpe:2.3:a:wpcom:wpcom_member:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpcom
Wpcom wpcom Member

Fri, 14 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Mar 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘user_phone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WPCOM Member <= 1.7.6 - Unauthenticated Time-Based SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wpcom Wpcom Member
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:31.266Z

Reserved: 2025-03-11T16:47:41.261Z

Link: CVE-2025-2221

cve-icon Vulnrichment

Updated: 2025-03-14T15:06:21.740Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-14T07:15:38.477

Modified: 2025-03-21T14:50:44.750

Link: CVE-2025-2221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:00:13Z

Weaknesses