WP-Members Membership Plugin < 3.5.4.5 – Unauthenticated Information Exposure via Unprotected Files | CVE 2025-12648 | Plugin Vulnerabilities

Description

The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.

Affects Plugins

Fixed in 3.5.4.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9d0154fd-0cab-4445-a92e-c44ae9931479

Classification

Type

FILE DOWNLOAD

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

thinnawarth mathuros

Verified

No

WPVDB ID

cffd6847-501a-486b-a605-4b54f574a56d

Timeline

Publicly Published

2026-01-06 (about 4 months ago)

Added

2026-01-06 (about 4 months ago)

Last Updated

2026-01-07 (about 4 months ago)

Other

Published

Title

Published

2022-07-11

Title

Project Source Code Download <= 1.0.0 - Unauthenticated Backup Download

Published

2022-11-10

Title

S2W - Import Shopify to WooCommerce < 1.1.13 - Admin+ Arbitrary File Access

Published

2025-11-20

Title

Tainacan < 1.0.1 - Unauthenticated Information Exposure

Published

2022-11-28

Title

Wholesale Market for WooCommerce < 1.0.8 - Admin+ Arbitrary File Download

Published

2024-09-10

Title

EKC Tournament Manager < 2.2.2 - Admin+ Arbitrary File Download