CVE-2025-12648
Unauthorized File Access in WP-Members Plugin via Predictable Paths
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp-members | wp-members | 3.5.4.4 |
| wp-members | wp-members | 3.5.5_beta_rc_3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP-Members Membership Plugin for WordPress (up to version 3.5.4.4) allows unauthorized file access because user-uploaded files are stored in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without proper access controls beyond basic directory listing protection. This means that an unauthenticated attacker who can guess or enumerate user IDs and filenames can directly access and download sensitive documents uploaded by site users via direct URL access.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive user-uploaded documents, as attackers can access and download files without authentication by guessing or enumerating user IDs and filenames. This compromises user privacy and data security, potentially exposing confidential or personal information stored in these files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability negatively impacts compliance with standards and regulations such as GDPR and HIPAA because it allows unauthorized access to sensitive personal or protected health information stored in user-uploaded files. Such unauthorized disclosure violates data protection and privacy requirements mandated by these regulations, potentially leading to legal and financial consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if sensitive user-uploaded files are accessible without authentication via predictable URLs in the directory wp-content/uploads/wpmembers/user_files/<user_id>/. You can attempt to enumerate user IDs and try to access files directly via HTTP requests. For example, using curl or wget commands to test access: curl -I https://yourdomain.com/wp-content/uploads/wpmembers/user_files/1/filename.ext wget --spider https://yourdomain.com/wp-content/uploads/wpmembers/user_files/2/filename.ext Additionally, scanning your web server logs for unauthorized access attempts to these directories or files can help detect exploitation attempts. There are no specific commands provided in the resources, but these general HTTP request tests can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting direct access to the user_files directories by implementing proper access controls beyond basic directory listing protection. This can be done by configuring your web server to deny all direct HTTP access to wp-content/uploads/wpmembers/user_files/ or by moving sensitive files outside the web root. Additionally, updating the WP-Members plugin to a version later than 3.5.4.4 that addresses this issue is recommended. If an update is not immediately possible, consider adding custom .htaccess rules or server configurations to block unauthorized access to these directories.