WP-Members Membership Plugin < 3.5.4.3 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names | CVE 2025-9489 | Plugin Vulnerabilities

Description

The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Affects Plugins

Fixed in 3.5.4.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/aa2035ef-5251-49cc-a480-b6c167b5ef8c

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Kishan Vyas

Verified

No

WPVDB ID

ff6e0989-72b2-459e-aba1-92f6e2d1e522

Timeline

Publicly Published

2025-09-08 (about 8 months ago)

Added

2025-09-08 (about 8 months ago)

Last Updated

2025-09-09 (about 8 months ago)

Other

Published

Title

Published

2014-08-01

Title

AREA53 <= 1.0.5 - File Upload Code Execution

Published

2026-05-01

Title

Widget Options < 4.2.3 - Contributor+ Remote Code Execution via Display Logic

Published

2025-03-10

Title

WPCS – WordPress Currency Switcher Professional < 1.2.0.5 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-09-26

Title

Norebro Extra <= 1.6.8 - Unauthenticated Arbitrary Shortcode Execution

Published

2023-09-26

Title

Ni Purchase Order(PO) For WooCommerce < 1.2.2 - Admin+ File Upload to Remote Code Execution