WP-Members Membership Plugin Security & Risk Analysis
wordpress.org/plugins/wp-membersThe original WordPress membership plugin with content restriction, user login, custom registration fields, user profiles, and more.
Is WP-Members Membership Plugin Safe to Use in 2026?
Generally Safe
Score 88/100WP-Members Membership Plugin has a strong security track record. Known vulnerabilities have been patched promptly.
The "wp-members" plugin v3.5.6 exhibits a mixed security posture. While it demonstrates a good number of nonce and capability checks, the presence of one AJAX handler without authentication checks is a significant concern, directly increasing the attack surface. The static analysis also reveals the use of the `unserialize` function, which can be a gateway to code injection vulnerabilities if not handled with extreme care and input validation. Furthermore, a substantial portion of its SQL queries are not using prepared statements, increasing the risk of SQL injection. While the taint analysis did not reveal critical or high-severity vulnerabilities in this specific scan, the historical data is concerning. The plugin has a history of 18 CVEs, including high-severity vulnerabilities such as SQL injection, cross-site scripting, code injection, and improper access control. The fact that a recent vulnerability was logged in 2026 suggests potential ongoing maintenance issues or a pattern of introducing vulnerabilities. Despite the presence of good practices like a decent rate of output escaping and prepared statements, the identified vulnerabilities and the unprotected AJAX endpoint outweigh these positives, indicating a moderate to high risk.
Key Concerns
- Unprotected AJAX handler present
- Use of dangerous function: unserialize
- Significant percentage of SQL queries not prepared
- History of numerous high-severity CVEs
- High number of entry points with one unprotected
WP-Members Membership Plugin Security Vulnerabilities
CVEs by Year
Severity Breakdown
18 total CVEs
WP-Members Membership Plugin <= 3.5.5.1 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute
WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields
WP-Members Membership Plugin <= 3.5.4.4 - Unauthenticated Information Exposure via Unprotected Files
WP-Members <= 3.5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
WP-Members Membership Plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names
WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
WP-Members <= 3.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
WP-Members <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_user_memberships Shortcode
WP-Members <= 3.4.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_loginout Shortcode
WP-Members Membership Plugin <= 3.4.9.5 - Reflected Cross-Site Scripting
WP-Members Membership Plugin <= 3.4.9.3 - Unprotected Storage of Potentially Sensitive Files
WP-Members Membership Plugin <= 3.4.9.2 - Unauthenticated Stored Cross-Site Scripting
WP-Members Membership Plugin <= 3.4.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
WP-Members Membership Plugin <= 3.4.8 - Missing Authorization to Sensitive Information Exposure
WP-Members Membership <= 3.4.7.3 - Cross-Site Request Forgery to Settings Update
WP-Members <= 3.2.7 - Cross-Site Request Forgery
WP-Members < 3.1.8 - Cross-Site Scripting
WP-Members Membership Plugin <= 2.8.9 - Reflected Cross-Site Scripting
WP-Members Membership Plugin Code Analysis
Dangerous Functions Found
Bundled Libraries
SQL Query Safety
Output Escaping
Data Flow Analysis
WP-Members Membership Plugin Attack Surface
AJAX Handlers 1
Shortcodes 19
WordPress Hooks 183
Maintenance & Trust
WP-Members Membership Plugin Maintenance & Trust
Maintenance Signals
Community Trust
WP-Members Membership Plugin Alternatives
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
user-registration
Build membership sites with tiered plans, content restriction, drag-&-drop custom registration & login form builder, and built-in payment system.
Pie Register – User Registration, Profiles & Content Restriction
pie-register
Create customized registration forms, Invite through email, Email Notification, User Roles assignment, and more. Pie Register is a User Registration p …
JSON API User
json-api-user
Extends the JSON API Plugin to allow RESTful user registration, authentication & many other User Meta, BP functions. A Pro version is also available.
Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping
membership-for-woocommerce
The membership plugin wordpress lets you easily restrict content, build online communities, customize user roles, & quickly manage access permissions.
Membee Login
membees-member-login-widget
Add member authentication and access role management to your WordPress site via Membee's powerful Member Single Sign-On web service.
WP-Members Membership Plugin Developer Profile
2 plugins · 50K total installs
How We Detect WP-Members Membership Plugin
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/wp-members/css/wpmembers-admin.css/wp-content/plugins/wp-members/css/wpmembers-style.css/wp-content/plugins/wp-members/css/wpmembers-theme.css/wp-content/plugins/wp-members/js/wpmembers-admin.js/wp-content/plugins/wp-members/js/wpmembers-users.js/wp-content/plugins/wp-members/js/wpmembers-ui.js/wp-content/plugins/wp-members/js/wpmembers-admin.js/wp-content/plugins/wp-members/js/wpmembers-users.js/wp-content/plugins/wp-members/js/wpmembers-ui.jswp-members/css/wpmembers-admin.css?ver=wp-members/css/wpmembers-style.css?ver=wp-members/css/wpmembers-theme.css?ver=wp-members/js/wpmembers-admin.js?ver=wp-members/js/wpmembers-users.js?ver=wp-members/js/wpmembers-ui.js?ver=HTML / DOM Fingerprints
wpmem-loginwpmem-registerwpmem-profilewpmem-lost-passwordwpmem-change-passwordwpmem-form-rowwpmem-labelwpmem-field+2 more<!-- WP-Members User Registration Form --><!-- WP-Members Login Form --><!-- WP-Members User Profile Form --><!-- WP-Members Lost Password Form -->+1 moredata-wpmem-fielddata-wpmem-login-formdata-wpmem-register-formdata-wpmem-profile-formdata-wpmem-lost-password-formdata-wpmem-change-password-formwpmem_varswpmem_ajaxurl/wp-json/wp-members/v1/users/wp-json/wp-members/v1/settings/wp-json/wp-members/v1/fields[wpmem_login][wpmem_register][wpmem_profile][wpmem_lost_password]