– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-68844:
The Membee Login plugin for WordPress, versions up to and including 2.3.6, contains an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw exists in the plugin’s administrative settings page due to insufficient output escaping. The vulnerability allows attackers to inject malicious JavaScript that executes in the context of an administrator’s session, leading to a complete site compromise with a CVSS score of 7.2.

The root cause is improper output escaping in the plugin’s admin settings rendering function `display_membee_login_options()`, located in `/membees-member-login-widget/mvc/v.php`. In the vulnerable version, the function directly echoes the `$membee_options[‘membee_message’]` variable without sanitization at lines 50-52. This message variable is populated in the `process_membee_options()` function in `/membees-member-login-widget/mvc/c.php` when user input validation fails. The validation logic for the ‘membee_secret’ parameter at lines 24-35 concatenates raw user input into the error message without proper escaping.

Exploitation occurs through a POST request to the WordPress admin area where the plugin settings are saved. An attacker sends a malicious payload in the `membee_secret` parameter that fails the plugin’s validation checks. The payload is stored in the `membee_message` option and subsequently rendered unsanitized on the plugin’s settings page. The attack vector targets `/wp-admin/options-general.php?page=membee-login` with a POST request containing a crafted `membee_secret` parameter that includes JavaScript payloads within HTML tags.

The patch in version 2.3.7 adds proper output escaping using WordPress’s `esc_url()` and `esc_attr()` functions. In the updated `display_membee_login_options()` function, the form action URL now uses `esc_url()` at line 14, and all form field values use `esc_attr()` at lines 17, 20, and 23. Additionally, the patch introduces several architectural improvements including a new `membee_get_script_host()` function and better code organization, but the critical security fix is the implementation of proper output escaping for all user-controlled variables rendered in HTML contexts.

Successful exploitation enables unauthenticated attackers to inject arbitrary JavaScript that executes whenever an administrator views the plugin’s settings page. This allows complete site takeover through session hijacking, administrative privilege escalation, backdoor installation, or content modification. The stored nature of the XSS means a single successful injection affects all subsequent administrator visits to the settings page until the malicious payload is removed.