35 matches found
CVE-2026-2363
The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'orderby' attribute of the wpmemusermembershipposts shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient...
CVE-2026-2363
The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'orderby' attribute of the wpmemusermembershipposts shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient...
CVE-2026-2363 WP-Members Membership Plugin <= 3.5.5.1 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute
The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'orderby' attribute of the wpmemusermembershipposts shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient...
CVE-2026-2363
CVE-2026-2363 : The WP-Members Membership Plugin for WordPress is vulnerable to an SQL Injection via the order_by attribute in the [wpmem_user_membership_posts] shortcode, affecting all versions up to 3.5.5.1. The issue arises from insufficient escaping and improper query preparation, allowing au...
CVE-2025-14448 WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2025-12648 WP-Members Membership Plugin <= 3.5.4.4 - Unauthenticated Information Exposure via Unprotected Files
The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories wp-content/uploads/wpmembers/userfiles// without implementing proper access controls beyond bas...
CVE-2025-12648
CVE-2025-12648 (WP-Members Membership Plugin) is a disclosed vulnerability where unauthenticated actors can access user-uploaded documents via direct URLs due to files being stored in predictable directories (wp-content/uploads/wpmembers/user_files//) with only basic directory protections (e.g., ...
WordPress WP-Members Plugin <= 3.5.4.2 - Cross Site Scripting (XSS) Vulnerability
Cross Site Scripting XSS Vulnerability discovered by theviper17 in WordPress Plugin WP-Members versions = 3.5.4.2...
WordPress plugin WP-Members Membership Plugin 代码注入漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code injection vulnerability exist...
CVE-2025-7495
CVE-2025-7495 corresponds to a Stored Cross-Site Scripting flaw in the WP-Members Membership Plugin for WordPress. Multiple sources confirm that versions up to and including 3.5.4.1 are affected due to insufficient input sanitization and output escaping on the wpmem_login_link shortcode, allowing...
CVE-2025-7495 WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmemloginlink' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...
CVE-2025-7495 WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmemloginlink' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...
PT-2025-30379 · WordPress · Wp-Members Membership Plugin
Name of the Vulnerable Software and Affected Versions: WP-Members Membership Plugin versions through 3.5.4.1 Description: The WP-Members Membership Plugin for WordPress is susceptible to Stored Cross-Site Scripting through the wpmem login link shortcode. Insufficient input sanitization and output...
WordPress WP-Members plugin <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin WP-Members versions = 3.5.4.1...
CVE-2025-50051
CVE-2025-50051 is a stored XSS in WordPress WP-Members (WP-Members plugin) up to version 3.5.4, caused by improper input neutralization during web page generation. Affected: WP-Members
CVE-2025-50051 WordPress WP-Members plugin <= 3.5.4 - Cross Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Chad Butler WP-Members allows Stored XSS.This issue affects WP-Members: from n/a through 3.5.4...
CVE-2023-2869
The WP-Members Membership plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the dofieldreorder function in versions up to, and including, 3.4.7.3. This makes it possible for authenticated attackers with subscriber-level access to reorde...
CVE-2019-15660
The wp-members plugin before 3.2.8 for WordPress has CSRF...
CVE-2025-4610
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmemusermemberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2025-4610
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmemusermemberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...