CVE-2025-2221

The CVE covers the WordPress plugin WPCOM Member (WordPress) versions up to and including 1.7.6, which is vulnerable to an unauthenticated time-based SQL injection via the user_phone parameter due to insufficient escaping and inadequate query preparation. Consequence: attackers can append additio...

CVE-2024-7493

The WPCOM Member plugin for WordPress (versions ≤ 1.5.2.1) is vulnerable to unauthenticated privilege escalation via User Meta. The issue arises because arbitrary data can be passed to wp_insert_user() during registration, enabling an unauthenticated attacker to set their role to Administrator du...

CVE-2024-47378

CVE-2024-47378: WordPress WPCOM Member plugin ≤1.5.4 is affected by a reflected XSS caused by improper neutralization of input during web page generation. Public sources (Patchstack, Red Hat advisory, CVE records) confirm the issue and name WPCOM Member as affected through 1.5.4. Mitigation per s...