CVE-2025-39570

CVE-2025-39570 describes an LFI vulnerability in WordPress plugin WPCOM Member (versions up to and including 1.7.7). The issue arises from improper control of filenames in PHP include/require, enabling local file inclusion. Public records indicate a high-severity exposure (CVSS v3.1 base score 8....

CVE-2025-39570 WordPress WPCOM Member plugin <= 1.7.7 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Lomu WPCOM Member wpcom-member allows PHP Local File Inclusion.This issue affects WPCOM Member: from n/a through = 1.7.7...

WordPress plugin WPCOM Member 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2025-2221

The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘userphone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...

CVE-2025-2221

The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘userphone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...

CVE-2025-2221 WPCOM Member <= 1.7.6 - Unauthenticated Time-Based SQL Injection

The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘userphone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...

CVE-2025-2221 WPCOM Member <= 1.7.6 - Unauthenticated Time-Based SQL Injection

The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘userphone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...

CVE-2025-2221

The CVE covers the WordPress plugin WPCOM Member (WordPress) versions up to and including 1.7.6, which is vulnerable to an unauthenticated time-based SQL injection via the user_phone parameter due to insufficient escaping and inadequate query preparation. Consequence: attackers can append additio...

WordPress WPCOM Member plugin <= 1.7.6 - Unauthenticated Time-Based SQL Injection vulnerability

Unauthenticated Time-Based SQL Injection vulnerability discovered by wesley wcraft in WordPress Plugin WPCOM Member versions = 1.7.6...

CVE-2025-1475

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'userphone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on t...

CVE-2025-1475 WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'userphone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on t...

CVE-2025-1475 WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'userphone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on t...

WordPress plugin WPCOM Member 授权问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. An authorization issue...

WordPress WPCOM Member plugin <= 1.7.5 - Authentication Bypass via 'user_phone' vulnerability

Authentication Bypass via 'userphone' vulnerability discovered by wesley wcraft in WordPress Plugin WPCOM Member versions = 1.7.5...

Malicious code in wpcom-checkout (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2025-1960 Malicious code in wpcom-checkout (npm)

--- -= Per source details. Do not edit below this line.=-...

CVE-2024-7493

The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wpinsertuser during registration. This makes it possible for unauthenticated attackers to update their role ...

CVE-2024-47378

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Lomu WPCOM Member wpcom-member allows Reflected XSS.This issue affects WPCOM Member: from n/a through = 1.5.4...

CVE-2024-47378

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in WPCOM WPCOM Member allows Reflected XSS.This issue affects WPCOM Member: from n/a through 1.5.4...

CVE-2024-47378

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Lomu WPCOM Member wpcom-member allows Reflected XSS.This issue affects WPCOM Member: from n/a through = 1.5.4...