Stored Cross-Site Scripting Vulnerability in Paid Membership Plugin for WordPress
CVE-2024-10517

Currently unrated

Key Information:

Vendor
Wordpress
Status
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content
Vendor
CVE Published:
12 December 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

The Paid Membership Plugin for WordPress before version 4.15.15 contains a vulnerability that fails to properly sanitize and escape certain fields within its Drag & Drop Builder. This oversight can enable high-privileged users, such as administrators, to execute Stored Cross-Site Scripting (XSS) attacks, even in configurations where the unfiltered_html capability is restricted, such as multisite setups. Exploiting this vulnerability could compromise the security of the entire site, making it critical for users to update to the latest version to protect against potential attacks.

Affected Version(s)

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content 0 < 4.15.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10517 - Proof of Concept

References

https://wpscan.com/vulnerability/f7c3a990-458e-4e15-b427-...
exploitvdb-entrytechnical-description

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
WPScan
.