CVE-2025-11920

Name of the Vulnerable Software and Affected Versions WPCOM Member versions prior to 1.7.15

Description The WPCOM Member plugin for WordPress is susceptible to Local File Inclusion. This issue affects versions up to and including 1.7.14 and is triggered through the action parameter within a shortcode. Authenticated attackers with Contributor-level access or higher can exploit this to include and execute arbitrary .php files on the server. Successful exploitation allows for the execution of PHP code, potentially enabling attackers to bypass access controls and obtain sensitive data. The issue can lead to code execution if .php file uploads are permitted. The vulnerable parameter is action.

Recommendations Update WPCOM Member to version 1.7.15 or later.