WP-Safety

Memberful – Membership Plugin Security & Risk Analysis

wordpress.org/plugins/memberful-wp

Sell memberships and restrict access to content with WordPress and Memberful.

1K active installs v1.78.0 PHP 7.4+ WP 3.6+ Updated Feb 25, 2026
membershippaywallrecurring-paymentsstripesubscriptions
97
A · Safe
CVEs total3
Unpatched0
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Memberful – Membership Plugin Safe to Use in 2026?

Generally Safe

Score 97/100

Memberful – Membership Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Sep 22, 2025Updated 1mo ago
Risk Assessment

The static analysis of memberful-wp v1.78.0 reveals a mixed security posture. On the positive side, the plugin demonstrates good practices by having a substantial number of capability checks and a high percentage of SQL queries using prepared statements and properly escaped outputs. There are no directly identified critical or high severity issues in the current code analysis, such as dangerous functions or critical taint flows. The absence of unprotected entry points further strengthens its security framework. However, there are some areas that warrant attention. A significant portion of taint flows (7 out of 8) involve unsanitized paths, which, although not rated as critical or high in this analysis, could still represent potential avenues for unexpected behavior or security weaknesses if exploited in conjunction with other factors. The presence of file operations and external HTTP requests, while not inherently insecure, always introduces a degree of risk that needs careful management. The plugin's vulnerability history indicates a pattern of medium severity issues, including missing authorization, information exposure, and cross-site scripting, with the last vulnerability occurring relatively recently. While there are currently no unpatched vulnerabilities, this history suggests a need for continued vigilance and robust security testing. Overall, the plugin has a solid foundation in secure coding practices, but the unsanitized path flows and historical vulnerability types highlight areas for ongoing improvement and risk mitigation.

Key Concerns

  • Flows with unsanitized paths found
  • Medium severity vulnerabilities in history
  • File operations present
  • External HTTP requests present
  • Nonce checks only present once
Vulnerabilities
3

Memberful – Membership Plugin Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-58000medium · 6.5Missing Authorization

Memberful <= 1.75.0 - Missing Authorization

Sep 22, 2025 Patched in 1.76.0 (26d)
CVE-2024-11294medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Memberful <= 1.73.9 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Dec 16, 2024 Patched in 1.74.0 (1d)
CVE-2024-9242medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Memberful – Membership Plugin <= 1.73.7 - Authenticated (contributor+) Stored Cross-Site Scripting

Oct 3, 2024 Patched in 1.73.8 (1d)
Code Analysis
Analyzed Mar 16, 2026

Memberful – Membership Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
10
19 prepared
Unescaped Output
39
204 escaped
Nonce Checks
1
Capability Checks
10
File Operations
2
External Requests
5
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

66% prepared29 total queries

Output Escaping

84% escaped243 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

8 flows7 with unsanitized paths
init (src\authenticator.php:72)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Memberful – Membership Plugin Attack Surface

Entry Points14
Unprotected0

Shortcodes 14

[memberful] src\shortcodes.php:2
[memberful_account_link] src\shortcodes.php:3
[memberful_buy_download_link] src\shortcodes.php:4
[memberful_buy_gift_link] src\shortcodes.php:5
[memberful_buy_subscription_link] src\shortcodes.php:6
[memberful_download_link] src\shortcodes.php:7
[memberful_private_rss_feed_link] src\shortcodes.php:8
[memberful_register_link] src\shortcodes.php:9
[memberful_sign_in_link] src\shortcodes.php:10
[memberful_sign_out_link] src\shortcodes.php:11
[memberful_podcasts_link] src\shortcodes.php:12
[memberful_podcast_url] src\shortcodes.php:13
[memberful_if_has_active_subscription] src\shortcodes.php:14
[memberful_if_does_not_have_active_subscription] src\shortcodes.php:15
WordPress Hooks 72
filterauth_cookie_expirationmemberful-wp.php:116
filtermce_buttonssrc\admin\editor.php:3
filtermce_external_pluginssrc\admin\editor.php:4
actionadmin_headsrc\admin.php:7
actionadmin_menusrc\admin.php:8
actionadmin_initsrc\admin.php:9
actionadmin_initsrc\admin.php:10
actionadmin_initsrc\admin.php:11
actionadmin_enqueue_scriptssrc\admin.php:12
filterdisplay_post_statessrc\admin.php:13
filterauthenticatesrc\authenticator.php:124
filterallow_password_resetsrc\authenticator.php:289
filterlogin_messagesrc\authenticator.php:290
filterwp_loginsrc\authenticator.php:291
actionlogin_formsrc\authenticator.php:292
actionenqueue_block_editor_assetssrc\block-editor.php:41
filterregister_block_type_argssrc\block-editor.php:42
actionrender_blocksrc\block-editor.php:44
actionadmin_initsrc\block_dashboard_access.php:12
actiontemplate_redirectsrc\comments_protection.php:3
filtercomments_templatesrc\comments_protection.php:15
actiondo_feed_rss2src\comments_protection.php:44
actiondo_feed_atomsrc\comments_protection.php:45
filtercomment_feed_wheresrc\comments_protection.php:106
actionthe_contentsrc\content_filter.php:3
filterrss_enclosuresrc\content_filter.php:33
filtermemberful_wp_protect_contentsrc\content_filter.php:42
filtermemberful_wp_protect_contentsrc\content_filter.php:43
filtermemberful_wp_protect_contentsrc\content_filter.php:44
filtermemberful_wp_protect_contentsrc\content_filter.php:45
filtermemberful_wp_protect_contentsrc\content_filter.php:46
filtermemberful_wp_protect_contentsrc\content_filter.php:47
filtermemberful_wp_protect_contentsrc\content_filter.php:49
filtermemberful_wp_protect_contentsrc\content_filter.php:50
filteradvanced-ads-can-display-adsrc\contrib\ad-providers\advanced-ads.php:61
actionwp_enqueue_scriptssrc\contrib\ad-providers\mediavine-ads.php:61
filterbody_classsrc\contrib\ad-providers\raptive-ads.php:41
actioninitsrc\contrib\ad-providers.php:22
actionmemberful_ad_provider_register_providerssrc\contrib\ad-providers.php:39
actionbbp_template_redirectsrc\contrib\bbpress.php:3
filterelementor/frontend/builder_content_datasrc\contrib\elementor.php:3
actionelementor/frontend/the_contentsrc\contrib\elementor.php:5
filtermemberful_metabox_post_typessrc\contrib\sfwd-learndash.php:18
filterthe_contentsrc\contrib\sfwd-learndash.php:19
filtercomments_opensrc\contrib\sfwd-learndash.php:20
actionwoocommerce_single_product_summarysrc\contrib\woocommerce.php:19
filterwoocommerce_add_to_cart_validationsrc\contrib\woocommerce.php:20
filterwoocommerce_is_purchasablesrc\contrib\woocommerce.php:21
filterthe_contentsrc\contrib\woocommerce.php:22
actiontemplate_redirectsrc\contrib\woothemes-sensei.php:28
actionthe_contentsrc\contrib\woothemes-sensei.php:83
actionwpsrc\contrib\wp-ultimate-recipe-premium.php:3
actionwpsrc\contrib\wp-ultimate-recipe.php:3
filterallowed_redirect_hostssrc\core-ext.php:9
actionmemberful_wp_cron_syncsrc\cron.php:8
actionmemberful_wp_cron_syncsrc\cron.php:9
actionwp_headsrc\embed.php:3
actionwp_loadedsrc\endpoints.php:13
filterwp_get_nav_menu_itemssrc\filter_account_menu_items.php:30
filtermemberful_wp_protect_contentsrc\global_marketing.php:8
filtermemberful_wp_protect_contentsrc\global_marketing.php:10
actionthe_contentsrc\global_marketing.php:53
actioninitsrc\hide_admin_toolbar.php:8
actionwp_logoutsrc\logout_hooks.php:4
actionadd_meta_boxessrc\metabox.php:3
actionsave_postsrc\metabox.php:4
actionregistered_taxonomysrc\metabox.php:12
actionadmin_menusrc\nav_menus.php:3
actioninitsrc\private_user_feed.php:12
actionpre_get_postssrc\search_filter.php:3
actionwidgets_initsrc\widgets.php:96
actionwp_enqueue_scriptssrc\widgets.php:130

Scheduled Events 1

memberful_wp_cron_sync
Maintenance & Trust

Memberful – Membership Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 25, 2026
PHP min version7.4
Downloads204K

Community Trust

Rating94/100
Number of ratings13
Active installs1K
Alternatives

Memberful – Membership Plugin Alternatives

Wallkit Subscriptions & Paywall Plugin for WordPress

Wallkit Subscriptions & Paywall Plugin for WordPress

wallkit

A
92

A Plug & Play paid-content system to manage subscribers, gather fees and drive additional content sales.

20 No CVEs
CashFlow Subscriptions

CashFlow Subscriptions

cashflow-subscriptions

A
100

Simple, modern Stripe subscriptions for WordPress. Create paywalls, manage members, and restrict content without WooCommerce or heavy plugins.

10 No CVEs
Crowdfunding and Fundraising Campaign Builder for PayForm

Crowdfunding and Fundraising Campaign Builder for PayForm

crowdfunding-and-fundraising-campaign-builder-by-payform

A
85

Add a crowdfunding campaign to any Wordpress website in seconds, connected to Stripe or PayPal, using Crowdfunding for PayForm

40 No CVEs
Hype

Hype

pico

C
63

Intelligent popups and landing pages to fully manage email and phone number signups, newsletters, subscriptions, donations, and memberships.

30 1 unpatched
Chargely Free Subscriptions For Woocommernce

Chargely Free Subscriptions For Woocommernce

chargely-free-subscriptions-for-woocommerce

A
85

Start your Subscription Business in minutes with Chargely. Chargely provides PCI Certified Payment page for your card processing. So that you don't need a PCI Certification.

0 No CVEs
Developer Profile

Memberful – Membership Plugin Developer Profile

memberful

2 plugins · 2K total installs

88
trust score
Avg Security Score
91/100
Avg Patch Time
9 days
View full developer profile
Detection Fingerprints

How We Detect Memberful – Membership Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/memberful-wp/admin.css/wp-content/plugins/memberful-wp/admin.js/wp-content/plugins/memberful-wp/assets/css/memberful-admin.css/wp-content/plugins/memberful-wp/assets/css/memberful-editor.css/wp-content/plugins/memberful-wp/assets/js/memberful-admin.js/wp-content/plugins/memberful-wp/assets/js/memberful-editor.js/wp-content/plugins/memberful-wp/assets/js/memberful-gutenberg.js/wp-content/plugins/memberful-wp/assets/js/memberful-react.js
Script Paths
/wp-content/plugins/memberful-wp/admin.js/wp-content/plugins/memberful-wp/assets/js/memberful-admin.js/wp-content/plugins/memberful-wp/assets/js/memberful-editor.js/wp-content/plugins/memberful-wp/assets/js/memberful-gutenberg.js/wp-content/plugins/memberful-wp/assets/js/memberful-react.js
Version Parameters
memberful-wp/admin.css?ver=memberful-wp/admin.js?ver=memberful-wp/assets/css/memberful-admin.css?ver=memberful-wp/assets/css/memberful-editor.css?ver=memberful-wp/assets/js/memberful-admin.js?ver=memberful-wp/assets/js/memberful-editor.js?ver=memberful-wp/assets/js/memberful-gutenberg.js?ver=memberful-wp/assets/js/memberful-react.js?ver=

HTML / DOM Fingerprints

CSS Classes
memberful-admin-wrapmemberful-connection-formmemberful-plans-listmemberful-plan-rowmemberful-account-menu-itemmemberful-account-menumemberful-shortcode-buttonmemberful-button+1 more
HTML Comments
<!-- memberful_embed_start --><!-- memberful_embed_end -->
Data Attributes
data-memberful-keydata-memberful-plan-iddata-memberful-account-page-urldata-memberful-embeddata-memberful-url
JS Globals
memberfulMemberful
REST Endpoints
/wp-json/memberful/v1/settings/wp-json/memberful/v1/plans
Shortcode Output
[memberful_plans][memberful_buy_button][memberful_account_link][memberful_subscribe_form]
FAQ

Frequently Asked Questions about Memberful – Membership Plugin