Description
The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
- cbutlerjr / WP-Members Membership Plugin0 – 3.5.4.4
References
- MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/9d0154fd-0cab-4445-a92e-c44ae9931479?source=cve
- MISChttps://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/class-wp-members-forms.php#L604
- MISChttps://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/admin/class-wp-members-admin-api.php#L707
- MISChttps://plugins.trac.wordpress.org/changeset/3427043/wp-members/trunk/includes/class-wp-members-forms.php