CVE-2025-4610: 
WordPress vulnerability analysis and mitigation

The WP-Members Membership Plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-4610) discovered in versions up to and including 3.5.2. The vulnerability exists in the plugin's wpmemusermemberships shortcode due to insufficient input sanitization and output escaping on user supplied attributes (NVD, Wordfence).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (MEDIUM). The flaw exists in the wpmemusermemberships shortcode functionality where user-supplied attributes are not properly sanitized before being stored and displayed. This allows authenticated attackers with contributor-level access or higher to inject malicious web scripts that will execute when users access the affected pages (NVD).

Successful exploitation of this vulnerability allows authenticated attackers with contributor-level privileges to store and execute arbitrary JavaScript code in the context of other users' browsers when they visit pages containing the compromised shortcode. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (NVD).

Users should update to a patched version of the plugin when available. The vulnerability affects all versions up to and including 3.5.2. Site administrators should also review and monitor content created by contributors and other privileged users for potential malicious code (NVD).