A high-severity vulnerability has been identified in the WPCOM Member plugin for WordPress, which could allow an unauthenticated attacker to access sensitive files on the web server. Successful exploitation could lead to the exposure of confidential data, such as database credentials and system configuration files, potentially resulting in a full compromise of the affected website. Organizations are urged to apply the recommended updates immediately to mitigate this significant risk.

The vulnerability is a Local File Inclusion (LFI). This flaw exists because the application uses user-supplied input to construct a file path without proper validation or sanitization. An attacker can exploit this by manipulating a request parameter to include directory traversal sequences (e.g., ../) to navigate outside of the intended directory and access arbitrary files on the server's local filesystem. This could allow an attacker to read sensitive files such as wp-config.php (containing database credentials), /etc/passwd, or other application source code and configuration files.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful attack could have severe consequences for the business, including the breach of sensitive company or customer data stored in the database or on the server. The exposure of configuration files can provide attackers with credentials and internal system information, facilitating further attacks that could lead to a complete system takeover, website defacement, or the deployment of malware. Such an incident could result in significant reputational damage, financial loss, and regulatory penalties.

Immediate Action:

• Immediately update the WPCOM Member plugin to the latest version provided by the vendor, which contains a patch for this vulnerability.
• If the plugin is not critical to business operations, a security review should be conducted to determine if it can be deactivated and removed entirely to eliminate this attack vector.

Proactive Monitoring:

• Monitor web server access logs (e.g., Apache, Nginx) for suspicious GET/POST requests containing directory traversal payloads like ../, ..\/, or attempts to access known sensitive files (e.g., wp-config.php, /etc/passwd).
• Implement and monitor a Web Application Firewall (WAF) to detect and block LFI attack patterns in real-time.
• Monitor for any unauthorized changes to files on the web server, which could indicate a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with strict rules to filter for and block directory traversal and file inclusion attempts.
• Ensure the web server process is running with the lowest possible privileges and enforce strict file system permissions to limit its ability to read sensitive files outside of the web root directory.
• Disable PHP functions that are commonly abused in LFI attacks (e.g., file_get_contents, include, require) if they are not essential for the application's functionality, though this should be tested thoroughly to avoid breaking the site.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the ease of exploitation for Local File Inclusion vulnerabilities, immediate action is strongly recommended. Organizations using the affected WPCOM Member plugin should prioritize applying the vendor-supplied patch without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high severity and the widespread deployment of WordPress make it a prime target for future exploitation. All remediation and monitoring actions outlined in this report should be implemented to protect against potential compromise.