CVE-2025-12018

The MembershipWorks – Membership, Events & Directory plugin for WordPress (versions up to and including 6.14) contains a stored cross-site scripting (XSS) vulnerability in its admin settings. The root cause is twofold: first, the plugin uses esc_textarea() to escape user-supplied values that are then placed into HTML attributes (e.g., value="value"), where escaped"), where esc_attr() should be used instead. Second, several member-only message fields are output directly into HTML content without any escaping at all [1].

Exploitation requires an authenticated attacker with administrator-level permissions. The attacker can inject arbitrary JavaScript payloads into plugin settings fields such as the directory search button text or member-only content messages. When a non-member visitor accesses a page containing the [memberonly] shortcode, the injected script executes in the visitor's browser. This attack vector is limited to WordPress multisite installations or any site where the unfiltered_html capability has been disabled for administrators [1][2].

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of any user who views the affected page. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability does not require any additional user interaction beyond viewing the compromised page [1].

As of the publication date, the vendor has not released a patched version. The only the vulnerable version 6.14 and earlier are affected. Administrators should disable the plugin or apply strict content security policies until a fix is available. The vulnerability is not known to be exploited in the wild at this time [1][2].