WP-Members Membership Plugin
Moderate fix1 remedy
cpe:2.3:a:wp-members_project:wp-members:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.5.5.1
WP-Members Membership Plugin SQL Injection Vulnerability in WordPress
Vulnerability
Patched
A SQL injection vulnerability has been identified in the WP-Members Membership Plugin for WordPress, affecting all versions up to and including 3.5.5.1. The vulnerability arises from inadequate escaping of user-supplied parameters in the 'order_by' attribute of the [wpmem_user_membership_posts] shortcode. This flaw allows authenticated attackers with Contributor-level access or higher to inject additional SQL queries into existing ones, potentially leading to the extraction of sensitive information from the database.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access or modify database information. In this case, it could be used to extract sensitive data from the database.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the [wpmem_user_membership_posts] shortcode and include a crafted 'order_by' parameter that exploits the SQL injection flaw. The injected SQL could then be used to extract sensitive information from the database.
Remediation
Users are advised to update the WP-Members Membership Plugin to version 3.5.6 or a newer patched version.
Added: Mar 4, 2026, 7:19 AM
Updated: Mar 4, 2026, 7:19 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
6.4remediation
7.7relevance
3.5threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.