CVE-2025-11920 Overview
CVE-2025-11920 is a Local File Inclusion (LFI) vulnerability affecting the WPCOM Member plugin for WordPress in all versions up to and including 1.7.14. The flaw resides in the action parameter of one of the plugin's shortcodes, which fails to validate user-supplied input before passing it to a file inclusion function. Authenticated attackers with Contributor-level access or higher can include and execute arbitrary .php files on the server.
Critical Impact
Authenticated attackers can execute arbitrary PHP code, bypass access controls, exfiltrate sensitive data, and achieve full code execution on vulnerable WordPress sites where .php files can be uploaded and included.
Affected Products
- WPCOM Member plugin for WordPress, versions ≤ 1.7.14
- WordPress installations using the plugin with Contributor-level or higher accounts enabled
- Multi-author WordPress sites accepting user registrations with author privileges
Discovery Timeline
- 2025-11-01 - CVE-2025-11920 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-11920
Vulnerability Analysis
The vulnerability is classified under [CWE-98]: Improper Control of Filename for Include/Require Statement in PHP Program. The WPCOM Member plugin exposes a shortcode handler that accepts an action parameter from user-controlled input. This parameter is concatenated into a file path and passed to a PHP include or require statement without proper sanitization or whitelisting.
Referenced source lines in class-member.php (lines 374, 1119, and 1171) demonstrate where the unsafe inclusion logic resides. Because shortcodes can be embedded in posts authored by Contributor-level users, any account with publish-draft permissions can trigger the vulnerable code path. The fix was committed in WordPress Plugin Changeset 3385562.
Root Cause
The root cause is missing input validation on the action shortcode attribute. The plugin treats the parameter as a trusted file identifier and constructs an inclusion path directly from it. Without an allowlist of permitted action names or path normalization, attackers can supply traversal sequences or absolute paths to include arbitrary .php files on the local filesystem.
Attack Vector
An authenticated Contributor crafts a WordPress post containing the vulnerable shortcode with a malicious action value. When the shortcode is rendered, the plugin includes the attacker-specified PHP file. If the attacker can place a .php payload anywhere readable by the web server, such as uploaded media or temporary files, the included file executes with the privileges of the PHP worker process. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-11920
Indicators of Compromise
- Unexpected .php files appearing in wp-content/uploads/ or other writable directories
- WordPress posts authored by Contributor accounts containing the WPCOM Member shortcode with unusual action parameter values
- PHP error log entries referencing include() or require() failures on paths under user control
- Outbound network connections originating from the PHP-FPM process to unexpected destinations
Detection Strategies
- Audit WordPress access logs for POST requests to admin-ajax.php or shortcode preview endpoints containing action= values with path separators or .. sequences
- Inspect the WordPress posts and postmeta tables for shortcode patterns referencing the WPCOM Member plugin with non-standard parameters
- Scan the WPCOM Member plugin directory and compare file hashes against the patched 1.7.15 or later release
Monitoring Recommendations
- Enable WordPress file integrity monitoring on the plugin directory and wp-content/uploads/
- Forward web server and PHP error logs to a centralized logging platform for query and correlation
- Alert on PHP processes spawning shell interpreters, network utilities, or downloaders
How to Mitigate CVE-2025-11920
Immediate Actions Required
- Update the WPCOM Member plugin to a version newer than 1.7.14 as soon as the patched release is published by the vendor
- Audit all Contributor, Author, and Editor accounts; remove or disable any accounts that are not actively required
- Restrict file upload MIME types and disable PHP execution in wp-content/uploads/ via web server configuration
- Review recent posts authored by lower-privileged users for malicious shortcodes
Patch Information
The vendor addressed the issue in WordPress Plugin Changeset 3385562. Site administrators should upgrade to the latest available release of the WPCOM Member plugin and verify the installed version against the WordPress plugin repository.
Workarounds
- Deactivate the WPCOM Member plugin until the patched version is installed
- Deploy a Web Application Firewall (WAF) rule blocking requests containing path traversal sequences in the action parameter
- Set open_basedir in php.ini to restrict PHP file access to the WordPress document root
- Disable PHP execution in upload directories using Apache or Nginx configuration
# Nginx: deny PHP execution within wp-content/uploads
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}
# Apache: equivalent restriction via .htaccess in uploads directory
# <FilesMatch "\.php$">
# Require all denied
# </FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
