Description
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmem_login_link' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS that allows an authenticated contributor or higher to inject scripts which will execute in every visitor’s browser
Action: Immediate Patch
AI Analysis

Impact

The WP‑Members Membership Plugin for WordPress contains a stored cross‑site scripting flaw in the ‘wpmem_login_link’ shortcode. The plugin does not properly sanitize or escape user‑supplied attributes, enabling an attacker with contributor-level access or greater to inject arbitrary JavaScript. Whenever a user views a page that contains the injected shortcode, the attacker’s script runs in that visitor’s browser, potentially hijacking sessions, stealing data, or defacing the site.

Affected Systems

All WordPress sites that have the WP‑Members plugin by cbutlerjr installed in version 3.5.4.1 or earlier are affected. Any site running this plugin with contributor or higher privileges is vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability requires the attacker to be logged in with sufficient privileges, implying that it is not a public remote exploit. The attack would likely proceed by adding or editing a post or page that contains the vulnerable shortcode, placing malicious code that runs for all visitors who load that page. Because the flaw is not in the core WordPress installation but in a third‑party plugin, sites that are not using WP‑Members or have upgraded past 3.5.4.1 are not at risk.

Generated by OpenCVE AI on April 22, 2026 at 01:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP‑Members plugin to a version newer than 3.5.4.1, which removes the vulnerability.
  • Restrict contributor or higher access to only trusted users or disable the ability to edit content that contains the ‘wpmem_login_link’ shortcode.
  • If an upgrade is not immediately possible, avoid using the affected shortcode on publicly accessible pages and manually sanitize or escape any attributes before rendering.

Generated by OpenCVE AI on April 22, 2026 at 01:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22293 The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmem_login_link' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 22 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 22 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmem_login_link' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:49.296Z

Reserved: 2025-07-11T14:49:02.447Z

Link: CVE-2025-7495

cve-icon Vulnrichment

Updated: 2025-07-22T16:31:22.937Z

cve-icon NVD

Status : Deferred

Published: 2025-07-22T05:15:41.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses