CVE-2025-11920 is a Local File Inclusion vulnerability classified under CWE-98 affecting the whyun WPCOM Member plugin for WordPress. The vulnerability exists in all versions up to and including 1.7.14 and is triggered via the 'action' parameter in one of the plugin's shortcodes. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw to include arbitrary PHP files from the server filesystem. This inclusion allows execution of any PHP code contained in those files, effectively enabling remote code execution (RCE) capabilities. The attack vector requires network access but no user interaction beyond authentication, making it relatively easy to exploit once credentials are obtained. The vulnerability can be leveraged to bypass WordPress access controls, escalate privileges, exfiltrate sensitive data, or deploy malicious payloads. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required. Although no known exploits are publicly reported, the widespread use of WordPress and the plugin increases the risk of future exploitation. The lack of available patches at the time of disclosure necessitates immediate mitigation steps to reduce exposure.

For European organizations, this vulnerability poses a significant risk due to the widespread adoption of WordPress as a content management system and the popularity of membership plugins like WPCOM Member. Successful exploitation can lead to unauthorized code execution on web servers, allowing attackers to bypass authentication, access sensitive customer or corporate data, deface websites, or use compromised servers as a foothold for further network intrusion. This can result in data breaches subject to GDPR penalties, reputational damage, and operational disruption. Organizations relying on this plugin for membership management or user access control are particularly vulnerable. The ability to execute arbitrary PHP code also raises the risk of persistent backdoors and lateral movement within internal networks. Given the plugin’s integration with WordPress, which is often internet-facing, the attack surface is large, increasing the likelihood of targeted attacks against European businesses and institutions.

Immediate mitigation should include restricting Contributor-level user privileges to trusted personnel only and monitoring for unusual shortcode usage or file inclusion attempts. Organizations should audit their WordPress installations to identify the presence of the WPCOM Member plugin and its version. If patching is not yet available, consider temporarily disabling the plugin or removing vulnerable shortcodes to eliminate the attack vector. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the 'action' parameter or attempts to include files via shortcodes. Harden file upload mechanisms to prevent uploading of executable PHP files and restrict file system permissions to limit accessible directories. Regularly review user roles and permissions to minimize the number of users with Contributor or higher access. Enable detailed logging and alerting for file inclusion attempts and anomalous PHP execution patterns. Finally, stay updated with vendor advisories for patches or official fixes and apply them promptly once released.