Description
The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Published: 2025-09-09
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary shortcode execution by authenticated users
Action: Patch NOW
AI Analysis

Impact

The WP‑Members Membership Plugin allows a subscriber or higher role to place values in user profile names that are passed directly to the internal do_shortcode function without proper validation. This flaw permits the user to embed any shortcode, including malicious ones, thereby enabling arbitrary code execution within the context of the WordPress website. The vulnerability is classified as code injection (CWE‑94) and can lead to both data exposure and modification, as well as potential site takeover if the executed shortcode performs destructive actions.

Affected Systems

WordPress sites running the WP‑Members Membership Plugin version 3.5.4.2 or earlier are affected. The plugin, developed by cbutlerjr, is widely used for membership and user registration features. Any installation that has subscribed members enabled and allows editable profile names is vulnerable. No other products or vendors are impacted based on the data provided.

Risk and Exploitability

The CVSS score of 5 indicates a medium level of severity, and the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not yet listed in the CISA KEV catalog. Attackers require authenticated access with at least Subscriber privilege, which is typically granted to all registered members, making the threat reachable to a broad segment of the user base. Successful exploitation would allow the attacker to inject and run arbitrary shortcodes, potentially leading to full code execution if the executed shortcode performs privileged actions.

Generated by OpenCVE AI on April 20, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP‑Members plugin to version 3.5.5 or later, where the validation of profile names before shortcodes is corrected.
  • Remove or disable any custom shortcodes that are automatically processed from user profile names, ensuring that only trusted shortcodes can run.
  • Enforce least‑privilege on User roles by reviewing and restricting the Subscriber role to prevent presence of executable shortcodes in user‑provided data.

Generated by OpenCVE AI on April 20, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Title WP-Members Membership Plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:17.138Z

Reserved: 2025-08-26T13:24:23.171Z

Link: CVE-2025-9489

cve-icon Vulnrichment

Updated: 2025-09-09T13:20:05.348Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T05:15:33.463

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses