CVE-2025-7495: 
WordPress vulnerability analysis and mitigation

The WP-Members Membership Plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-7495) in versions up to and including 3.5.4.1. The vulnerability exists in the plugin's 'wpmemloginlink' shortcode due to insufficient input sanitization and output escaping on user supplied attributes (Wordfence).

The vulnerability is present in the plugin's shortcode functionality where user-supplied attributes are not properly sanitized before being output. This allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows authenticated attackers to inject malicious scripts that will execute whenever a user accesses an affected page. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (AttackerKB).

The vulnerability has been patched in version 3.5.4.2 of the WP-Members plugin. Site administrators should update to this version immediately. The patch implements proper sanitization of HTML tag attributes in the shortcode functionality (WordPress Plugin Repository).