Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
WP-Members Plugin for WordPress Allows Hackers to Access Sensitive Data
CVE-2026-2363
Summary
The WP-Members plugin for WordPress, used by many websites, has a security flaw that lets hackers access sensitive information if they have a certain level of access. This could allow them to view private data that they shouldn't be able to see. Update the plugin to a newer version to fix the issue.
Original title
The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'order_by' attribute of the [wpmem_user_membership_posts] shortcode in all versions up to, and including...
Original description
The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'order_by' attribute of the [wpmem_user_membership_posts] shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
nvd CVSS3.1
6.5
Vulnerability type
CWE-89
SQL Injection
- https://plugins.trac.wordpress.org/browser/wp-members/tags/3.5.5.1/includes/clas...
- https://plugins.trac.wordpress.org/browser/wp-members/tags/3.5.5.1/includes/clas...
- https://plugins.trac.wordpress.org/changeset/3468716/wp-members/trunk/includes/c...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2a47e3cc-9435-4e9c-8d9...
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026