CVE-2025-54017: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-54017) affects the Paid Member Subscriptions WordPress plugin, discovered on July 29, 2025. It is identified as a PHP Local File Inclusion vulnerability that impacts versions up to and including 2.15.4. This security flaw is classified as a CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) vulnerability (Patchstack, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is network-based, requires high attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with high impact on confidentiality, integrity, and availability (Rapid7, AttackerKB).

This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. The impact could include bypassing access controls, obtaining sensitive data, or achieving code execution in cases where images and other "safe" file types can be uploaded and included (Rapid7).

The vulnerability has been patched in version 2.15.5 of the Paid Member Subscriptions plugin. Users are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until the update can be applied (Patchstack).