CVE-2025-12018
📋 TL;DR
The MembershipWorks WordPress plugin is vulnerable to stored cross-site scripting (XSS) in admin settings. Authenticated attackers with administrator privileges can inject malicious scripts that execute when users view affected pages. This only impacts WordPress multi-site installations or sites where unfiltered_html capability is disabled.
💻 Affected Systems
- MembershipWorks – Membership, Events & Directory WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.
Likely Case
Session hijacking, credential theft, or defacement of admin pages by malicious administrators.
If Mitigated
Limited impact due to requirement of administrator privileges and specific WordPress configurations.
🎯 Exploit Status
Exploitation requires administrator-level WordPress credentials. Public proof-of-concept exists in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 6.14
Vendor Advisory: https://wordpress.org/plugins/memberfindme/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'MembershipWorks – Membership, Events & Directory'. 4. Click 'Update Now' if available. 5. If no update available, deactivate and remove plugin until patched version is released.
🔧 Temporary Workarounds
Enable unfiltered_html for administrators
allEnable the unfiltered_html capability for administrator roles in single-site installations
Add to wp-config.php: define('DISALLOW_UNFILTERED_HTML', false);
Remove admin access from untrusted users
allReview and restrict administrator privileges to trusted personnel only
🧯 If You Can't Patch
- Deactivate and remove the MembershipWorks plugin entirely
- Implement strict access controls and monitor administrator account activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for MembershipWorks plugin version 6.14 or earlierCheck Version:
wp plugin list --name=memberfindme --field=versionVerify Fix Applied:
Verify plugin version is higher than 6.14 after update📡 Detection & Monitoring
Log Indicators:
- Unusual admin setting modifications
- JavaScript injection in plugin settings fields
- Multiple failed admin login attempts
Network Indicators:
- Unexpected script tags in admin page responses
- External script loading from admin interfaces
SIEM Query:
source="wordpress" AND (plugin="memberfindme" OR plugin="MembershipWorks") AND (action="updated" OR action="modified")🔗 References
- https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/memberfindme/stored-xss.md
- https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L103
- https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L437
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393026%40memberfindme&new=3393026%40memberfindme&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/memberfindme/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7cd412d8-6d14-4803-aae6-087e02f9d75f?source=cve
