Shared security patch analysis results
AI Used: claude_cli haiku--- cache/wp-members_3.5.4.3/includes/class-wp-members-user-profile.php 2026-01-17 00:16:02.225358444 +0000+++ cache/wp-members_3.5.4.4/includes/class-wp-members-user-profile.php 2026-01-17 00:16:20.126418493 +0000@@ -385,7 +385,7 @@ } elseif ( $field['type'] == 'checkbox' ) { $fields[ $meta ] = wpmem_get_sanitized( $meta, '' ); // ( isset( $_POST[ $meta ] ) ) ? sanitize_text_field( $_POST[ $meta ] ) : ''; } elseif ( $field['type'] == 'multiselect' || $field['type'] == 'multicheckbox' ) { - $fields[ $meta ] = ( isset( $_POST[ $meta ] ) ) ? implode( $field['delimiter'], wp_unslash( $_POST[ $meta ] ) ) : ''; + $fields[ $meta ] = ( isset( $_POST[ $meta ] ) ) ? implode( $field['delimiter'], wpmem_sanitize_array( $_POST[ $meta ] ) ) : ''; } elseif ( $field['type'] == 'textarea' ) { $fields[ $meta ] = wpmem_get_sanitized( $meta, '', 'post', 'textarea' ); // ( isset( $_POST[ $meta ] ) ) ? sanitize_textarea_field( $_POST[ $meta ] ) : ''; }
Vulnerability Existed: yes TRUE POSITIVE Improper Input Validation/Sanitization - CWE-20 - includes/class-wp-members-user-profile.php Line 388 [Old Code] $fields[ $meta ] = ( isset( $_POST[ $meta ] ) ) ? implode( $field['delimiter'], wp_unslash( $_POST[ $meta ] ) ) : ''; [Fixed Code] $fields[ $meta ] = ( isset( $_POST[ $meta ] ) ) ? implode( $field['delimiter'], wpmem_sanitize_array( $_POST[ $meta ] ) ) : ''; Explanation: The original code used `wp_unslash()` on user-supplied POST data without proper sanitization. The `wp_unslash()` function only removes slashes added by WordPress magic quotes and does not sanitize the data for SQL injection, XSS, or other attacks. For multiselect and multicheckbox fields that accept arrays, the unslashed data could contain malicious content. The fix replaces `wp_unslash()` with `wpmem_sanitize_array()`, which provides proper sanitization of array values before they are imploded and stored. This prevents injection attacks where an attacker could submit malicious data through the array elements.
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/wp-members_3.5.4.3/wp-members.php 2026-01-17 00:16:02.237359154 +0000+++ cache/wp-members_3.5.4.4/wp-members.php 2026-01-17 00:16:20.138419204 +0000@@ -3,7 +3,7 @@ Plugin Name: WP-Members Plugin URI: https://rocketgeek.com Description: WP access restriction and user registration. For more information on plugin features, refer to <a href="https://rocketgeek.com/plugins/wp-members/docs/">the online Users Guide</a>. A <a href="https://rocketgeek.com/plugins/wp-members/quick-start-guide/">Quick Start Guide</a> is also available. WP-Members(tm) is a trademark of butlerblog.com. -Version: 3.5.4.3 +Version: 3.5.4.4 Author: Chad Butler Author URI: https://butlerblog.com/ Text Domain: wp-members @@ -58,7 +58,7 @@ } // Initialize constants. -define( 'WPMEM_VERSION', '3.5.4.3' ); +define( 'WPMEM_VERSION', '3.5.4.4' ); define( 'WPMEM_DB_VERSION', '2.4.2' ); define( 'WPMEM_PATH', plugin_dir_path( __FILE__ ) ); // @todo Fairly certain this is obsolete.
I'll analyze this code diff for security vulnerabilities. --- **Analysis Result:** Vulnerability Existed: **no** This diff contains only version number updates (3.5.4.3 → 3.5.4.4) in two locations: - Line 6: Plugin header `Version` field - Line 61: `WPMEM_VERSION` constant definition **Assessment:** These are metadata changes with no functional code modifications. Version strings are informational only and do not introduce, fix, or relate to any security vulnerabilities. The changes do not: - Modify any security-sensitive logic - Add or remove input validation - Change authentication/authorization mechanisms - Alter data handling or sanitization - Affect privilege levels or access controls - Introduce or patch known CWE vulnerabilities **Conclusion:** This is a routine version bump with no security implications.
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.