CVE-2025-11920
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wpcom_member | 1.7.14 |
| wordpress | wpcom_member | 1.7.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WPCOM Member plugin for WordPress (up to version 1.7.14) is a Local File Inclusion (LFI) issue via the 'action' parameter in one of its shortcodes. Authenticated users with Contributor-level access or higher can exploit this to include and execute arbitrary PHP files on the server. This means they can run any PHP code contained in those files, potentially bypassing access controls, accessing sensitive data, or executing malicious code if they can upload PHP files.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized code execution on the server, bypassing access controls, and exposure of sensitive data. An attacker with Contributor-level access could execute arbitrary PHP code, which might lead to full site compromise, data theft, or disruption of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable WPCOM Member plugin versions (up to and including 1.7.14) on your WordPress installation. Specifically, look for usage of the vulnerable shortcode with the 'action' parameter that could allow Local File Inclusion. Since the vulnerability requires authenticated users with Contributor-level access or higher, monitoring logs for suspicious requests involving the 'action' parameter in shortcodes or attempts to include PHP files via this parameter can help detect exploitation attempts. There are no explicit commands provided in the resources, but you can search your WordPress plugin directory for the plugin version and scan access logs for suspicious POST or GET requests containing the 'action' parameter in shortcodes. For example, using grep on your web server logs: `grep -i 'action=' /path/to/access.log` or checking plugin version via WP-CLI: `wp plugin list | grep wpcom-member`. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WPCOM Member plugin to version 1.7.15 or later, which includes security fixes that sanitize the input used in file inclusion, preventing the Local File Inclusion vulnerability. Until the update is applied, restrict Contributor-level and higher user permissions if possible, monitor for suspicious activity involving the 'action' parameter in shortcodes, and consider disabling the vulnerable shortcode or plugin temporarily. Applying the official patch or update from the plugin author is the recommended action. [3]