WPCOM Member

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > WPCOM Member

Information

Software Type	Plugin
Software Slug	wpcom-member (view on wordpress.org)
Software Status	Active
Software Author	whyun
Software Website	www.wpcom.cn
Software Downloads	69,398
Software Active Installs	1,000
Software Record Last Updated	June 18, 2026

8 Vulnerabilities

Submit a Vulnerability

WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP

8.1

CVE-2025-14002

Dec 15, 2025

Researcher: wesley (wcraft)

WPCOM Member <= 1.7.14 - Authenticated (Contributor+) Local File Inclusion via Shortcode

8.8

CVE-2025-11920

Oct 31, 2025

Researcher: Naoya Takahashi (nakko)

WPCOM Member <= 1.7.7 - Authenticated (Contributor+) Local File Inclusion

8.8

CVE-2025-39570

Apr 16, 2025

Researcher: astra.r3verii

WPCOM Member <= 1.7.6 - Unauthenticated Time-Based SQL Injection

7.5

CVE-2025-2221

Mar 13, 2025

Researcher: wesley (wcraft)

WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'

9.8

CVE-2025-1475

Mar 6, 2025

Researcher: wesley (wcraft)

WPCOM Member <= 1.5.4 - Reflected Cross-Site Scripting

6.1

CVE-2024-47378

Sep 30, 2024

Researcher: ardias

WPCOM Member <= 1.5.2.1 - Unauthenticated Privilege Escalation via User Meta

9.8

CVE-2024-7493

Sep 6, 2024

Researcher: wesley (wcraft)

Several WordPress.org Plugins <= Various Versions - Injected Backdoor

10.0

CVE-2024-6297

Jun 24, 2024

Researchers:

Title	Status	CVE ID	CVSS	Researchers	Date
WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP	Patched	CVE-2025-14002	8.1	wesley (wcraft)	December 15, 2025
WPCOM Member <= 1.7.14 - Authenticated (Contributor+) Local File Inclusion via Shortcode	Patched	CVE-2025-11920	8.8	Naoya Takahashi (nakko)	October 31, 2025
WPCOM Member <= 1.7.7 - Authenticated (Contributor+) Local File Inclusion	Patched	CVE-2025-39570	8.8	astra.r3verii	April 16, 2025
WPCOM Member <= 1.7.6 - Unauthenticated Time-Based SQL Injection	Patched	CVE-2025-2221	7.5	wesley (wcraft)	March 13, 2025
WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'	Patched	CVE-2025-1475	9.8	wesley (wcraft)	March 6, 2025
WPCOM Member <= 1.5.4 - Reflected Cross-Site Scripting	Patched	CVE-2024-47378	6.1	ardias	September 30, 2024
WPCOM Member <= 1.5.2.1 - Unauthenticated Privilege Escalation via User Meta	Patched	CVE-2024-7493	9.8	wesley (wcraft)	September 6, 2024
Several WordPress.org Plugins <= Various Versions - Injected Backdoor	Patched	CVE-2024-6297	10.0		June 24, 2024

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation