CVE-2025-11920

CVE-2025-11920 is a Local File Inclusion vulnerability (CWE-98) affecting the WPCOM Member plugin for WordPress in all versions up to and including 1.7.14. The flaw exists via the 'action' parameter in one of the plugin's shortcodes, which fails to properly validate inputs, allowing the inclusion and execution of arbitrary .php files on the server. Published on 2025-11-01, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the 'action' parameter, they can include arbitrary .php files, execute PHP code within those files, bypass access controls, obtain sensitive data, or achieve remote code execution, particularly if the environment allows uploading .php files that can then be included.

References include code locations in class-member.php at lines 1119, 1171, and 374 in version 1.7.13, a patch changeset 3385562 in the plugin trunk, and a Wordfence threat intelligence advisory, suggesting mitigation through updating to a patched version beyond 1.7.14.