The WP-Members Membership Plugin for WordPress, developed by cbutlerjr, suffers from an unauthorized file access vulnerability identified as CVE-2025-12648. This vulnerability arises because the plugin stores user-uploaded files in predictable directory paths (wp-content/uploads/wpmembers/user_files/<user_id>/) without enforcing proper access controls beyond a basic .htaccess file that disables directory listing (Options -Indexes). This means that while directory contents are not openly listed, the files themselves remain accessible if an attacker can guess or enumerate the user ID and filename. Since no authentication or user interaction is required, an unauthenticated attacker can craft direct URLs to access sensitive documents uploaded by other users. The vulnerability affects all plugin versions up to and including 3.5.4.4. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact confined to confidentiality loss without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The root cause is inadequate access control on user-uploaded content, violating secure file storage best practices and exposing sensitive data to unauthorized parties.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive user data stored on WordPress sites using the WP-Members Membership Plugin. Unauthorized access to personal documents could lead to privacy violations, reputational damage, and potential non-compliance with the EU General Data Protection Regulation (GDPR), which mandates strict controls on personal data access and processing. The exposure of user files could include personally identifiable information (PII), membership details, or other confidential documents, increasing the risk of identity theft or targeted attacks. Although the vulnerability does not affect system integrity or availability, the breach of confidentiality alone can have severe legal and financial consequences. Organizations relying on this plugin for membership management or content gating should be aware that attackers do not need credentials or interaction to exploit this flaw, making it easier for malicious actors to harvest sensitive data at scale.

European organizations should immediately audit their WordPress installations for the presence of the WP-Members Membership Plugin and verify the plugin version. Since no official patch is currently available, administrators should implement the following mitigations: 1) Restrict direct web access to the wp-content/uploads/wpmembers/user_files/ directory using server-level access controls such as configuring web server rules (e.g., Apache .htaccess or Nginx configuration) to deny all external requests or require authentication. 2) Move user-uploaded files outside the web root or to a protected storage location inaccessible via direct URL. 3) Implement application-level access controls to verify user permissions before serving files. 4) Rename or randomize file and directory names to reduce predictability and enumeration risk. 5) Monitor web server logs for suspicious access patterns indicating enumeration attempts. 6) Educate site administrators about secure file handling practices and consider alternative membership plugins with better security postures. Finally, stay alert for official patches or updates from the plugin developer and apply them promptly once available.