CVE-2025-4610

Vulnerability

Overview

The WP-Members Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 3.5.2. The flaw resides in the wpmem_user_memberships shortcode, where user-supplied attributes are not properly sanitized or escaped before being output. This allows attackers to inject arbitrary web scripts that become stored on the server and execute when other users view the affected page [1].

Exploitation

Prerequisites

An attacker must have at least contributor-level access to the WordPress site, as the shortcode can be inserted into posts or pages. No additional authentication is required for the victim; the injected script executes automatically when any user accesses the compromised page. The attack surface is limited to authenticated users with publishing capabilities, but contributor-level accounts are often easier to compromise or create in multi-author environments [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies and login credentials. Since the XSS is stored, the malicious payload persists until the injected content is removed, affecting all subsequent visitors [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to restrict contributor-level access to trusted individuals, apply input validation on shortcode attributes via custom code, or disable the shortcode if not in use. The plugin's support site may provide additional guidance [1].