Description
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch Plugin
AI Analysis

Impact

The WP‑Members Membership Plugin allows authenticated users with contributor or higher privileges to inject arbitrary web scripts by manipulating attributes of the wpmem_user_memberships shortcode due to insufficient input sanitization and output escaping. This stored XSS flaw enables the attacker to place malicious code that will execute in the browsers of any visitor who loads a page containing the compromised shortcode, potentially compromising user credentials, defacing the site, or hijacking sessions.

Affected Systems

WordPress installations that have the WP‑Members plugin version 3.5.2 or earlier enable the vulnerable shortcode. Sites using these plugin versions are susceptible when an attacker has contributor, editor, administrator, or other privileged roles.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating a moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in current conditions. It is not listed in the CISA KEV catalog. Attackers must be authenticated with at least contributor access and exploit the shortcode’s attribute handling; unauthenticated users cannot trigger the vulnerability. Once injected, the malicious script executes whenever a user loads a page that contains the compromised shortcode.

Generated by OpenCVE AI on April 21, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP‑Members plugin to 3.5.3 or newer, where the shortcode input is properly sanitized and escaped.
  • Remove or correct any existing instances of the wpmem_user_memberships shortcode that contain unsanitized attributes, ensuring stored content no longer carries malicious scripts.
  • Re‑evaluate role permissions so that only trusted users have contributor or higher access to the affected site, or temporarily disable contribution permissions if the plugin cannot be updated immediately.

Generated by OpenCVE AI on April 21, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15571 The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 19 May 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 17 May 2025 09:45:00 +0000

Type Values Removed Values Added
Description The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP-Members <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_user_memberships Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:19.030Z

Reserved: 2025-05-12T20:49:19.492Z

Link: CVE-2025-4610

cve-icon Vulnrichment

Updated: 2025-05-19T20:20:23.501Z

cve-icon NVD

Status : Deferred

Published: 2025-05-17T10:15:20.740

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses