cleantalk
Vulnerabilities and Security Researches

WP-Members Membership Plugin, CVE-2026-2363

CVE, Research URL

CVE-2026-2363

Home page URL

Security reports for WP-Members Membership Plugin

Application

WP-Members Membership Plugin

Published on
Mar 04, 2026
Research Description
The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'order_by' attribute of the [wpmem_user_membership_posts] shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 3.5.6.
Status
vulnerable
Previous vulnerability researches
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2025-24750) , Jan 26, 2025
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2026-1993) , Apr 14, 2026
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2026-1992) , Apr 14, 2026
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2023-23880) , Jun 06, 2024
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2023-0082) , Jun 06, 2024
New vulnerability
PDF Invoices & Packing Slips for WooCommerce (CVE-2026-1906) , Apr 15, 2026
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin (CVE-2026-4109) , Apr 15, 2026
User Submitted Posts – Enable Users to Submit Posts from the Front End (CVE-2026-2126) , Apr 15, 2026
User Submitted Posts – Enable Users to Submit Posts from the Front End (CVE-2026-0913) , Apr 15, 2026
Display During Conditional Shortcode (CVE-2025-6460) , Apr 15, 2026