CVE-2025-12018 is a stored cross-site scripting (XSS) vulnerability categorized under CWE-79 affecting the MembershipWorks – Membership, Events & Directory plugin for WordPress. The flaw exists due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in admin settings. This vulnerability affects all versions up to and including 6.14. An attacker with administrator-level privileges can inject arbitrary JavaScript code into pages via the plugin’s admin settings interface. These scripts are stored persistently and execute whenever any user accesses the infected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, which restricts HTML input filtering. Exploitation requires authenticated access with high privileges, no user interaction is necessary once the malicious script is injected. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, low confidentiality and integrity impact, and no availability impact. No public exploits have been reported yet, but the vulnerability poses a risk in environments where the plugin is used in multi-site configurations. The lack of patch links suggests a fix may be pending or users must upgrade beyond version 6.14 when available.

The primary impact of CVE-2025-12018 is the potential for stored XSS attacks in WordPress sites using the MembershipWorks plugin in multi-site setups. Successful exploitation allows attackers with admin privileges to inject malicious scripts that execute in the context of other users’ browsers. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential privilege escalation. Although exploitation requires administrator-level access, the vulnerability expands the attack surface by enabling persistent script injection that affects all users accessing the compromised pages. This can undermine trust in the affected website, cause data leakage, and facilitate further attacks within the organization’s network. Since multi-site WordPress installations are common in large organizations, educational institutions, and membership-based services, the impact can be significant in these environments. However, the medium CVSS score reflects that the vulnerability is not trivially exploitable by unauthenticated users and does not directly affect availability.

1. Upgrade the MembershipWorks plugin to a version beyond 6.14 once a patch addressing CVE-2025-12018 is released. 2. Until a patch is available, restrict administrator privileges strictly to trusted personnel to minimize the risk of malicious script injection. 3. For multi-site WordPress installations, consider disabling or limiting the use of the MembershipWorks plugin if feasible. 4. Enable and enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 5. Regularly audit admin settings and plugin configurations for suspicious or unexpected script content. 6. Use security plugins that detect and block stored XSS payloads or sanitize inputs at the application level. 7. Monitor logs for unusual administrator activity that could indicate attempts to exploit this vulnerability. 8. Educate administrators about the risks of injecting untrusted content into plugin settings. 9. Consider implementing web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this plugin. 10. Review and adjust the unfiltered_html capability settings carefully, balancing functionality and security needs.