CVE-2025-9489
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp-members | 3.5.4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WP-Members Membership Plugin for WordPress (up to version 3.5.4.2) and allows authenticated users with Subscriber-level access or higher to execute arbitrary shortcodes. The issue arises because the plugin does not properly validate input before running the do_shortcode function, enabling attackers to run any shortcode they choose, potentially leading to unauthorized actions within the WordPress site. [1]
How can this vulnerability impact me? :
The vulnerability can allow an authenticated user with low-level access (Subscriber or above) to execute arbitrary shortcodes, which may lead to unauthorized content display, privilege escalation, or other unintended actions within the WordPress site. This could compromise site integrity, expose sensitive information, or disrupt normal site operations depending on the shortcodes executed. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WP-Members Membership Plugin version 3.5.4.2 or earlier is installed and active on your WordPress site. You can check the plugin version via WordPress admin dashboard or by inspecting the plugin files. Additionally, monitoring for unusual shortcode execution or unauthorized shortcode usage by Subscriber-level users may indicate exploitation attempts. There are no specific network commands provided in the resources. However, you can use WP-CLI commands to check the plugin version, for example: `wp plugin list --status=active` to list active plugins and their versions. Also, reviewing WordPress logs for shortcode execution by low-privilege users may help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WP-Members Membership Plugin to a version later than 3.5.4.2 where this vulnerability is fixed. If an update is not immediately available, restrict Subscriber-level users from executing shortcodes by adjusting user capabilities or disabling shortcode execution for low-privilege users. Additionally, monitor and audit shortcode usage and consider applying custom code or filters to validate shortcode inputs before execution. Limiting access to shortcode-related functionality and ensuring proper capability checks can reduce risk. [1]