Vulnerabilities and security researches forwp-members wp-members

Jun 07, 2024

CVE, Research URL: CVE-2019-15660
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Aug 27, 2019
Research Description: The wp-members plugin before 3.2.8 for WordPress has CSRF.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2017-2222
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Jul 07, 2017
Research Description: Cross-site scripting vulnerability in WP-Members prior to version 3.1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-2869
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Jul 12, 2023
Research Description: The WP-Members Membership plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the do_field_reorder function in versions up to, and including, 3.4.7.3. This makes it possible for authenticated attackers with subscriber-level access to reorder form elements on login forms.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-6733
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Jan 04, 2024
Research Description: The WP-Members Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.8 via the wpmem_field shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including user emails, password hashes, usernames, and more.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-1987
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Mar 08, 2024
Research Description: The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.4.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-1852
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Apr 10, 2024
Research Description: The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page. This vulnerability was partially patched in version 3.4.9.2, and was fully patched in 3.4.9.3.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-2920
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Apr 26, 2024
Research Description: The WP-Members Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.4.9.3 due to the plugin uploading user supplied files to a publicly accessible directory in wp-content without any restrictions. This makes it possible for unauthenticated attackers to view files uploaded by other users which may contain sensitive information.
Affected versions: Min -, max -.
Status: vulnerable

Oct 23, 2024

CVE, Research URL: CVE-2024-9231
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Oct 22, 2024
Research Description: The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Oct 27, 2024

CVE, Research URL: CVE-2024-10374
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: Oct 25, 2024
Research Description: The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_loginout shortcode in all versions up to, and including, 3.4.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

May 18, 2025

CVE, Research URL: CVE-2025-4610
Home page URL: Security reports for WP-Members Membership Plugin
Application: WP-Members Membership Plugin
Date: May 17, 2025
Research Description: The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable