Cross-Site Scripting Vulnerabilities in Paid Memberships Pro Plugin for WordPress
CVE-2015-5532

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Paid Memberships Pro
Vendor
CVE Published:
23 October 2017

Summary

The Paid Memberships Pro plugin for WordPress has multiple vulnerabilities that enable remote attackers to exploit cross-site scripting (XSS) issues. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML through several parameters in specific PHP files, such as membershiplevels.php, memberslist.php, and orders.php. Successful exploitation can lead to unauthorized actions on behalf of users or hijacking user sessions, posing significant risks to site security.

References

https://wpvulndb.com/vulnerabilities/8109
x_refsource_MISC
https://www.htbridge.com/advisory/HTB23264
x_refsource_MISC
https://github.com/strangerstudios/paid-memberships-pro/c...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.