Stored Cross-Site Scripting Vulnerability in MembershipWorks Plugin for WordPress
CVE-2025-12018

4.4MEDIUM

Key Information:

Vendor

WordPress
Status
Membershipworks – Membership, Events & Directory
Vendor
CVE Published:
12 November 2025

What is CVE-2025-12018?

The MembershipWorks – Membership, Events & Directory plugin for WordPress has a vulnerability that enables authenticated attackers with administrator-level permissions to exploit insufficient input sanitization and output escaping. This flaw allows the injection of arbitrary web scripts into pages, leading to potential execution whenever a user accesses these compromised pages. This issue primarily impacts multi-site installations and those configurations where unfiltered_html settings are disabled, emphasizing the need for site administrators to review their security settings and keep their plugins updated.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MembershipWorks – Membership, Events & Directory * <= 6.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/memberfindme/
https://github.com/zast-ai/vulnerability-reports/blob/mai...

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chris
JSON
.