CVE-2025-12018: 
WordPress vulnerability analysis and mitigation

The MembershipWorks – Membership, Events & Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 6.14. The vulnerability was disclosed on November 11, 2025, and was assigned CVE-2025-12018. This security issue affects multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the admin settings of the plugin. This allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N (Wordfence).

The vulnerability allows authenticated attackers with administrator-level access to inject malicious scripts that can execute in users' browsers when they visit affected pages. This could potentially lead to theft of sensitive information or manipulation of page content for users viewing the compromised pages (NVD).

The vulnerability affects versions up to and including 6.14 of the MembershipWorks plugin. Website administrators should ensure they are running the latest version of the plugin that includes security fixes. Additionally, limiting administrator access and ensuring proper access controls are in place can help mitigate the risk (WordPress Plugin).