Local File Inclusion Vulnerability in WPCOM Member Plugin by WordPress
CVE-2025-11920

8.8HIGH

Key Information:

Vendor: WordPress
Status: WPcom Member
Vendor: CVE Published:; 1 November 2025

What is CVE-2025-11920?

The WPCOM Member plugin for WordPress is affected by a Local File Inclusion (LFI) vulnerability that allows authenticated users with Contributor-level access or higher to exploit the action parameter in its shortcodes. This flaw enables attackers to include and execute arbitrary PHP files stored on the server, leading to potential code execution and sensitive data exposure. Such exploitation can compromise the security of the website and bypass existing access controls, making it crucial for users to update to the latest version to mitigate these risks.

Affected Version(s)

WPCOM Member * <= 1.7.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpcom-member/t...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2025
Vulnerability Reserved
Oct 17, 2025

Credit

Naoya Takahashi

JSON