{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12018", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T13:59:07.927Z", "datePublished": "2025-11-12T07:27:41.747Z", "dateUpdated": "2026-04-08T17:02:46.650Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:46.650Z"}, "affected": [{"vendor": "sourcefound", "product": "MembershipWorks \u2013 Membership, Events & Directory", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MembershipWorks \u2013 Membership, Events & Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "MembershipWorks <= 6.14 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cd412d8-6d14-4803-aae6-087e02f9d75f?source=cve"}, {"url": "https://wordpress.org/plugins/memberfindme/"}, {"url": "https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/memberfindme/stored-xss.md"}, {"url": "https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L437"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393026%40memberfindme&new=3393026%40memberfindme&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "timeline": [{"time": "2025-11-03T23:24:47.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-11T19:16:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T18:13:04.627068Z", "id": "CVE-2025-12018", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T18:13:13.575Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12018", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T18:13:04.627068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T18:13:09.107Z"}}], "cna": {"title": "MembershipWorks <= 6.14 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "sourcefound", "product": "MembershipWorks \u2013 Membership, Events & Directory", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T23:24:47.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-11T19:16:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cd412d8-6d14-4803-aae6-087e02f9d75f?source=cve"}, {"url": "https://wordpress.org/plugins/memberfindme/"}, {"url": "https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/memberfindme/stored-xss.md"}, {"url": "https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L437"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393026%40memberfindme&new=3393026%40memberfindme&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The MembershipWorks \u2013 Membership, Events & Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:46.650Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12018", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:46.650Z", "dateReserved": "2025-10-21T13:59:07.927Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-12T07:27:41.747Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MembershipWorks \u2013 Membership, Events & Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12018", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-12T08:15:40.590", "references": [{"source": "security@wordfence.com", "url": "https://github.com/zast-ai/vulnerability-reports/blob/main/wordpress/plugin/memberfindme/stored-xss.md"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L103"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/memberfindme/tags/6.14/memberfindme.php#L437"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393026%40memberfindme&new=3393026%40memberfindme&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/memberfindme/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cd412d8-6d14-4803-aae6-087e02f9d75f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:57:10.605317+00:00", "value": {"mitigation_remediation": ["Upgrade MembershipWorks to version 6.15 or newer to apply the stored\u2011XSS fix.", "Review the plugin\u2019s stored settings and remove any injected script payloads to eliminate existing exploits.", "If upgrading is not immediately possible, disable or uninstall the plugin to stop the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that can be exploited by administrators to run arbitrary scripts on pages viewed by site users"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the MembershipWorks \u2013 Membership, Events & Directory plugin version 6.14 or earlier on multi\u2011site networks where the unfiltered_html filter is disabled are affected. The issue spans every version up to 6.14 and concerns the plugin\u2019s settings panel that is accessible to users with administrator or higher privileges.", "description_and_impact": "The MembershipWorks \u2013 Membership, Events & Directory plugin for WordPress allows an authenticated administrator or higher to inject arbitrary JavaScript into the plugin\u2019s admin settings. Because the plugin does not properly sanitize or escape input, the stored payload is rendered when a page is viewed, enabling the attacker to execute arbitrary script in the context of the site. This vulnerability is a stored cross\u2011site scripting flaw, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a low to medium severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, meaning no confirmed active exploit has been identified. Based on the description, it is inferred that the usual attack vector is an authenticated local attack through the plugin\u2019s configuration UI; exploitation requires administrator\u2011level access and the presence of an attacker\u2011controlled payload embedded in plugin settings."}}}}, "created": "2025-11-12T22:12:48.118627+00:00", "updated": "2026-04-22T14:00:18.233040+00:00", "vendors": ["sourcefound", "sourcefound$PRODUCT$membershipworks", "wordpress", "wordpress$PRODUCT$wordpress"]}