CVE-2025-7495 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP-Members Membership Plugin for WordPress, developed by cbutlerjr. This vulnerability affects all versions up to and including 3.5.4.1. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied attributes in the 'wpmem_login_link' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the shortcode attributes. When other users access these compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4, indicating a medium severity. The scope is classified as changed, meaning the vulnerability can affect resources beyond the attacker’s privileges. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is categorized under CWE-79, which is a common and impactful web application security weakness related to cross-site scripting attacks.

For European organizations using WordPress sites with the WP-Members Membership Plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions and data. Attackers with contributor-level access—often achievable through compromised accounts or weak internal controls—can inject persistent malicious scripts that execute for any visitor of the affected pages. This could lead to theft of authentication tokens, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Given the widespread use of WordPress across European businesses, including e-commerce, membership, and community platforms, exploitation could disrupt operations and damage reputation. The vulnerability’s ability to escalate privileges or compromise user accounts is particularly concerning for organizations handling sensitive personal data under GDPR, as breaches could result in regulatory penalties and loss of customer trust. Although no active exploitation is reported yet, the medium severity and ease of exploitation by authenticated users necessitate prompt attention.

European organizations should immediately audit their WordPress installations to identify the presence of the WP-Members Membership Plugin and verify the version in use. Until an official patch is released, administrators should restrict contributor-level access strictly to trusted users and consider temporarily disabling the 'wpmem_login_link' shortcode or the entire plugin if feasible. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute patterns can provide interim protection. Additionally, organizations should enforce strong authentication policies, including multi-factor authentication (MFA), to reduce the risk of account compromise. Regular security scanning and monitoring for unusual script injections or anomalous page content are advised. Once a patch is available, timely updating of the plugin is critical. Developers and site administrators should also review and harden input validation and output encoding practices in custom shortcodes or plugins to prevent similar issues.