Stored Cross-Site Scripting in Clubmember Plugin by WordPress
CVE-2025-12396

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Clubmember
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-12396?

The Clubmember plugin for WordPress is susceptible to Stored Cross-Site Scripting, allowing authenticated attackers with administrator privileges to insert arbitrary web scripts. This vulnerability stems from inadequate input sanitization and output escaping in the plugin's admin settings. Consequently, when a user visits an affected page, the injected scripts execute, leading to potential security threats and data exposure. The issue specifically impacts multi-site installations and those where unfiltered HTML is disabled.

Affected Version(s)

clubmember * <= 0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.com/plugins/clubmember

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 28, 2025

Credit

Ivan Cese

JSON