CVE-2025-12648 – The WP-Members WordPress plugin stores user-upl... (How to Fix)

Q: What is the severity of CVE-2025-12648?

CVE-2025-12648 has a CVSS score of 5.3 (MEDIUM). The WP-Members WordPress plugin stores user-uploaded files in predictable directories without proper access controls, allowing unauthenticated attackers to guess or enumerate user IDs and filenames to download sensitive documents. This affects all WordPress sites using WP-Members plugin versions up to 3.5.4.4.

📋 TL;DR

The WP-Members WordPress plugin stores user-uploaded files in predictable directories without proper access controls, allowing unauthenticated attackers to guess or enumerate user IDs and filenames to download sensitive documents. This affects all WordPress sites using WP-Members plugin versions up to 3.5.4.4.

💻 Affected Systems

Products:

WP-Members Membership Plugin for WordPress

Versions: Up to and including 3.5.4.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with user file uploads enabled are vulnerable. The .htaccess file only prevents directory listing but doesn't block direct file access.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass exfiltration of sensitive user documents including identification, financial records, or private communications leading to identity theft, financial fraud, or reputational damage.

🟠

Likely Case

Targeted extraction of specific user documents through automated enumeration, potentially exposing personal information for blackmail or credential theft.

🟢

If Mitigated

No unauthorized access to user files; all file requests properly authenticated and authorized before serving content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires guessing user IDs and filenames, which can be automated through enumeration. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.4.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3427043/wp-members/trunk/includes/class-wp-members-forms.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP-Members plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.5.4.5+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Restrict access via .htaccess

linux

Add proper authentication rules to prevent direct file access

# Add to wp-content/uploads/wpmembers/user_files/.htaccess
Order Deny,Allow
Deny from all
<FilesMatch "\.(jpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|txt)$">
    Require all denied
</FilesMatch>

Disable user file uploads

all

Temporarily disable file upload functionality in plugin settings

🧯 If You Can't Patch

Implement web application firewall rules to block requests to predictable /wp-content/uploads/wpmembers/user_files/ paths
Move user-uploaded files outside web root or implement server-side authentication checks before serving files

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is 3.5.4.4 or lower, you are vulnerable.

Check Version:

wp plugin list --name=wp-members --field=version

Verify Fix Applied:

After updating, test by attempting to access a known user file via direct URL while logged out. Should receive 403/404 error instead of file download.

📡 Detection & Monitoring

Log Indicators:

Multiple 200/206 HTTP responses to /wp-content/uploads/wpmembers/user_files/ patterns from single IPs
Unusual file download patterns from non-authenticated users

Network Indicators:

Bursts of GET requests to sequential user ID directories
Traffic to predictable file paths without referrer or session cookies

SIEM Query:

source="web_logs" AND (uri="/wp-content/uploads/wpmembers/user_files/*" OR uri LIKE "/wp-content/uploads/wpmembers/user_files/%") AND status=200 AND user_agent NOT CONTAINS "bot" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-12648

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-552

EPSS Score: 0.05% exploit probability (16.8th percentile)

Published: January 7, 2026

Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12648, you might also want to check these: