CVE-2025-28901
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress 'Members page only for logged in users' plugin allows attackers to perform stored cross-site scripting (XSS) attacks. When exploited, this lets attackers inject malicious scripts into the members page that execute when other logged-in users view it. This affects all WordPress sites using vulnerable versions of this specific plugin.
💻 Affected Systems
- WordPress Members page only for logged in users plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, hijack admin accounts, deface websites, redirect users to malicious sites, or install backdoors through the injected scripts.
Likely Case
Attackers would typically steal session cookies to hijack user accounts, potentially gaining administrative access if admin users are targeted.
If Mitigated
With proper CSRF tokens and input validation, the attack would fail at the initial CSRF stage, preventing any XSS payload from being stored.
🎯 Exploit Status
Exploitation requires social engineering to trick logged-in users into clicking malicious links. The CSRF leads to stored XSS, which then affects other users viewing the members page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.4.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Members page only for logged in users' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin, then install the latest version from WordPress repository.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the vulnerable plugin until patched version is available
wp plugin deactivate members-page-only-for-logged-in-users
Implement CSRF protection middleware
WordPressAdd custom CSRF token validation for plugin endpoints
🧯 If You Can't Patch
- Remove the plugin completely and use alternative membership solutions
- Implement web application firewall (WAF) rules to block CSRF attempts and XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Members page only for logged in users' plugin version 1.4.2 or earlierCheck Version:
wp plugin get members-page-only-for-logged-in-users --field=versionVerify Fix Applied:
Verify plugin version is higher than 1.4.2 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to members page endpoints without referrer headers
- Multiple failed CSRF token validations
- Suspicious script tags in members page content
Network Indicators:
- Cross-origin requests to plugin endpoints without proper CSRF tokens
- Unexpected JavaScript execution on members pages
SIEM Query:
source="wordpress.log" AND ("members-page-only-for-logged-in-users" OR "csrf" OR "xss") AND status=200