CVE-2025-11920: 
WordPress vulnerability analysis and mitigation

The WPCOM Member plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2025-11920) discovered on October 31, 2025. This vulnerability affects all versions up to and including 1.7.14. The issue allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary .php files on the server through the action parameter in one of its shortcodes (NVD, AttackerKB).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper control of filename for include/require statements in PHP (CWE-98). The vulnerability exists in the shortcode functionality where the action parameter is not properly sanitized before being used in file inclusion operations (NVD).

When exploited, this vulnerability allows authenticated attackers to include and execute arbitrary PHP files on the server. This can lead to bypass of access controls, unauthorized access to sensitive data, and potential remote code execution if PHP files can be uploaded and included. The high CVSS score reflects the severe potential impact on confidentiality, integrity, and availability of the affected system (AttackerKB).

Users should update the WPCOM Member plugin to a version newer than 1.7.14 when available. Until then, it is recommended to restrict Contributor access only to trusted users and monitor for suspicious file inclusion attempts (Wordfence).