CVE-2025-11920 is a Local File Inclusion vulnerability classified under CWE-98, affecting the whyun WPCOM Member plugin for WordPress in all versions up to and including 1.7.14. The vulnerability arises from improper control of the filename used in an include/require statement within the plugin's shortcode handling, specifically via the 'action' parameter. Authenticated attackers with Contributor-level privileges or higher can manipulate this parameter to include arbitrary PHP files from the server, leading to remote code execution. This attack vector allows bypassing of normal access controls, enabling execution of arbitrary PHP code if an attacker can upload or otherwise place PHP files on the server. The vulnerability does not require user interaction beyond authentication, making it easier to exploit within compromised or insider accounts. The CVSS v3.1 base score is 8.8, indicating high severity with network attack vector, low attack complexity, and privileges required. The impact spans confidentiality, integrity, and availability, as attackers can execute arbitrary code, access sensitive data, and disrupt service. No patches or official fixes are currently linked, and no known exploits in the wild have been reported as of the publication date (November 1, 2025). However, the presence of this vulnerability in a widely used WordPress plugin poses a significant risk to websites relying on it for membership management.

The exploitation of CVE-2025-11920 can have severe consequences for organizations using the WPCOM Member plugin. Attackers with relatively low privileges (Contributor-level) can escalate their capabilities to execute arbitrary PHP code on the web server. This can lead to full site compromise, including unauthorized data access, modification or deletion of website content, installation of backdoors or malware, and disruption of service availability. The ability to bypass access controls undermines the security model of the affected WordPress sites, potentially exposing sensitive user data and administrative functions. For organizations relying on WordPress for customer engagement, membership management, or e-commerce, this vulnerability could result in data breaches, reputational damage, regulatory penalties, and financial losses. The network-exploitable nature and lack of required user interaction increase the risk of automated or targeted attacks, especially in environments where Contributor-level accounts are common or easily compromised.

To mitigate CVE-2025-11920, organizations should immediately upgrade the WPCOM Member plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level user capabilities to prevent uploading or managing PHP files. Implementing strict file upload controls and sanitizing inputs related to the 'action' parameter can reduce risk. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious include/require patterns targeting the plugin's shortcode parameters can provide temporary protection. Regularly audit user roles and permissions to minimize the number of users with Contributor or higher privileges. Monitoring server logs for unusual file inclusion attempts or PHP execution anomalies is recommended. Additionally, isolating the WordPress environment using containerization or hardened hosting can limit the impact of successful exploitation. Finally, maintain regular backups and incident response plans to recover quickly if compromise occurs.