CVE-2025-11920
📋 TL;DR
The WPCOM Member WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and privilege escalation. All WordPress sites using WPCOM Member version 1.7.14 or earlier are affected.
💻 Affected Systems
- WPCOM Member WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to complete data exfiltration, ransomware deployment, or persistent backdoor installation across the WordPress environment.
Likely Case
Unauthorized code execution leading to website defacement, credential theft, or installation of cryptocurrency miners.
If Mitigated
Limited impact due to proper file upload restrictions and server hardening, potentially resulting in failed exploitation attempts.
🎯 Exploit Status
Exploitation requires Contributor-level access. The vulnerability is well-documented with public code references showing the exact vulnerable parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.15 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3385562/wpcom-member/trunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPCOM Member plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 1.7.15+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the vulnerable shortcode from WordPress posts/pages
Search WordPress content for [member] shortcode usage and remove or replace
Restrict file uploads
linuxBlock PHP file uploads through WordPress and server configuration
Add to .htaccess: <FilesMatch "\.(php|php5|php7|phtml)$">
Order Deny,Allow
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove WPCOM Member plugin entirely and find alternative membership solution
- Implement strict user role management and audit all Contributor+ accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WPCOM Member version 1.7.14 or earlierCheck Version:
wp plugin list --name=wpcom-member --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm WPCOM Member version is 1.7.15 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion attempts in web server logs
- Multiple requests to member.php with action parameter manipulation
- PHP error logs showing file path traversal attempts
Network Indicators:
- HTTP requests containing 'action' parameter with file paths
- POST/GET requests to member.php with unusual parameters
SIEM Query:
web.url:*member.php* AND (web.query:action=* OR web.query:*../*)🔗 References
- https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.13/includes/class-member.php#L1119
- https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.13/includes/class-member.php#L1171
- https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.13/includes/class-member.php#L374
- https://plugins.trac.wordpress.org/changeset/3385562/wpcom-member/trunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/43b04825-d1c6-4e2a-9035-1f4fbfe14818?source=cve
