VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 19 known issues Latest disclosed Mar 03, 2026

WP-Members Membership Plugin Vulnerabilities

Review known vulnerability records for the WordPress plugin WP-Members Membership Plugin (`wp-members`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-2363, CVE-2025-14448 and CVE-2025-12648, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
19
High or Critical
3
Patch Coverage
100%
Last Updated
Mar 04, 2026
Priority CVE Quick Links

Fast paths into WP-Members Membership Plugin CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
18
CVE-2019-15660 High 3.2.8.1
CVE-2019-15660 WP-Members Membership Plugin Cross-Site Request Forgery

WP-Members <= 3.2.7 - Cross-Site Request Forgery

CVE-2024-1852 High 3.4.9.3
CVE-2024-1852 WP-Members Membership Plugin Stored Cross-Site Scripting

WP-Members Membership Plugin <= 3.4.9.2 - Unauthenticated Stored Cross-Site Scripting

CVE-2026-2363 Medium 3.5.6
CVE-2026-2363 WP-Members Membership Plugin SQL Injection

WP-Members Membership Plugin <= 3.5.5.1 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute

CVE-2023-6733 Medium 3.4.9
CVE-2023-6733 WP-Members Membership Plugin Sensitive Information Exposure

WP-Members Membership Plugin <= 3.4.8 - Missing Authorization to Sensitive Information Exposure

CVE-2025-57973 Medium 3.5.4.3
CVE-2025-57973 WP-Members Membership Plugin Stored Cross-Site Scripting

WP-Members <= 3.5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-7495 Medium 3.5.4.2
CVE-2025-7495 WP-Members Membership Plugin Stored Cross-Site Scripting

WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-50051 Medium 3.5.4.1
CVE-2025-50051 WP-Members Membership Plugin Stored Cross-Site Scripting

WP-Members <= 3.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-4610 Medium 3.5.3
CVE-2025-4610 WP-Members Membership Plugin Stored Cross-Site Scripting

WP-Members <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_user_memberships Shortcode

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP-Members Membership Plugin so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
19 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 3 high severity findings.
Recent CVEs
CVE-2026-2363, CVE-2025-14448 and CVE-2025-12648
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WP-Members Membership Plugin

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-2363
CVE-2026-2363: WP-Members Membership Plugin <= 3.5.5.1 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute

The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'order_by' attribute of the [wpmem_user_membership_posts] shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and...

Published
Mar 03, 2026
Patched Release
3.5.6
Affected Versions
Versions up to 3.5.5.1
Next Step
Update to 3.5.6 or newer if supported.
Open CVE-2026-2363 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14448
CVE-2025-14448: WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This make...

Published
Jan 14, 2026
Patched Release
3.5.4.4
Affected Versions
Versions up to 3.5.4.3
Next Step
Update to 3.5.4.4 or newer if supported.
Open CVE-2025-14448 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12648
CVE-2025-12648: WP-Members Membership Plugin <= 3.5.4.4 - Unauthenticated Information Exposure via Unprotected Files

The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files//) without implementing proper access...

Published
Jan 06, 2026
Patched Release
3.5.4.5
Affected Versions
Versions up to 3.5.4.4
Next Step
Update to 3.5.4.5 or newer if supported.
Open CVE-2025-12648 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-57973
CVE-2025-57973: WP-Members <= 3.5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Members plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to i...

Published
Sep 22, 2025
Patched Release
3.5.4.3
Affected Versions
Versions up to 3.5.4.2
Next Step
Update to 3.5.4.3 or newer if supported.
Open CVE-2025-57973 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-9489
CVE-2025-9489: WP-Members Membership Plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names

The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortc...

Published
Sep 08, 2025
Patched Release
3.5.4.3
Affected Versions
Versions up to 3.5.4.2
Next Step
Update to 3.5.4.3 or newer if supported.
Open CVE-2025-9489 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-7495
CVE-2025-7495: WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmem_login_link' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. T...

Published
Jul 21, 2025
Patched Release
3.5.4.2
Affected Versions
Versions up to 3.5.4.1
Next Step
Update to 3.5.4.2 or newer if supported.
Open CVE-2025-7495 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-50051
CVE-2025-50051: WP-Members <= 3.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Members plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inj...

Published
Jun 19, 2025
Patched Release
3.5.4.1
Affected Versions
Versions up to 3.5.4
Next Step
Update to 3.5.4.1 or newer if supported.
Open CVE-2025-50051 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-4610
CVE-2025-4610: WP-Members <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_user_memberships Shortcode

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes....

Published
May 16, 2025
Patched Release
3.5.3
Affected Versions
Versions up to 3.5.2
Next Step
Update to 3.5.3 or newer if supported.
Open CVE-2025-4610 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10374
CVE-2024-10374: WP-Members <= 3.4.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_loginout Shortcode

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_loginout shortcode in all versions up to, and including, 3.4.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This...

Published
Oct 24, 2024
Patched Release
3.4.9.6
Affected Versions
Versions up to 3.4.9.5
Next Step
Update to 3.4.9.6 or newer if supported.
Open CVE-2024-10374 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-9231
CVE-2024-9231: WP-Members Membership Plugin <= 3.4.9.5 - Reflected Cross-Site Scripting

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inj...

Published
Oct 21, 2024
Patched Release
3.4.9.6
Affected Versions
Versions up to 3.4.9.5
Next Step
Update to 3.4.9.6 or newer if supported.
Open CVE-2024-9231 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2920
CVE-2024-2920: WP-Members Membership Plugin <= 3.4.9.3 - Unprotected Storage of Potentially Sensitive Files

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.4.9.3 due to the plugin uploading user supplied files to a publicly accessible directory in wp-content without any restrictions. This makes it possi...

Published
Apr 25, 2024
Patched Release
3.4.9.4
Affected Versions
Versions up to 3.4.9.3
Next Step
Update to 3.4.9.4 or newer if supported.
Open CVE-2024-2920 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-1852
CVE-2024-1852: WP-Members Membership Plugin <= 3.4.9.2 - Unauthenticated Stored Cross-Site Scripting

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated a...

Published
Apr 01, 2024
Patched Release
3.4.9.3
Affected Versions
Versions up to 3.4.9.2
Next Step
Update to 3.4.9.3 or newer if supported.
Open CVE-2024-1852 Report Open CVE Reference