PT-2026-1552 · WordPress · Wp-Members Membership Plugin
Thinnawarth Mathuros
·
Publicado
2026-01-07
·
Atualizado
2026-01-07
·
CVE-2025-12648
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WP-Members Membership Plugin for WordPress versions up to and including 3.5.4.4
Description
The WP-Members Membership Plugin for WordPress stores user-uploaded files in predictable directories (
wp-content/uploads/wpmembers/user files/<user id>/) without sufficient access controls. This allows unauthenticated attackers to directly access and download sensitive documents uploaded by site users by guessing or enumerating user ids and filenames. Basic directory listing protection (.htaccess with Options -Indexes) is insufficient to prevent access.Recommendations
Versions prior to 3.5.4.4 should be updated.
Correção
Files Accessible to External Parties
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Wp-Members Membership Plugin