CVE-2025-7495 is a stored Cross-Site Scripting vulnerability identified in the WP-Members Membership Plugin for WordPress, developed by cbutlerjr. The vulnerability exists in all versions up to and including 3.5.4.1 and is caused by improper neutralization of user-supplied input in the 'wpmem_login_link' shortcode. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level access or higher. This allows these users to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who visits the affected page. The vulnerability does not require user interaction but does require the attacker to have at least contributor privileges, which are commonly granted to users who can submit content but not publish it directly. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact includes potential confidentiality and integrity loss, such as session hijacking, defacement, or unauthorized actions performed on behalf of other users. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for websites relying on this plugin. The vulnerability was published on July 22, 2025, with no official patches available at the time of reporting, increasing the urgency for mitigation.

The vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts that execute in the browsers of other users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed with victim user privileges, and potential site defacement. Since WordPress powers a significant portion of the web, and WP-Members is a popular membership plugin, the scope of affected systems is broad. The attack can compromise the confidentiality and integrity of user data and site content without affecting availability. The requirement for contributor-level access limits exploitation to insiders or compromised accounts but does not require administrative privileges, making it easier for attackers who gain lower-level access to escalate their impact. Organizations relying on this plugin risk reputational damage, data breaches, and loss of user trust if exploited.

Organizations should immediately review user roles and permissions, restricting contributor-level access to trusted users only. Implement strict input validation and output escaping for all user-supplied data, especially in shortcodes and plugin features. Monitor logs and user activity for suspicious behavior indicative of XSS attempts. Until an official patch is released, consider disabling or removing the WP-Members Membership Plugin if feasible, or replace it with alternative membership management solutions that do not have this vulnerability. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the 'wpmem_login_link' shortcode. Educate content contributors about the risks of injecting untrusted content. Regularly update WordPress core and plugins to the latest versions once patches become available. Conduct security audits and penetration testing focused on plugin vulnerabilities to identify and remediate similar issues proactively.