Stored Cross-Site Scripting Vulnerability in WordPress Plugins Affecting Membership Management
CVE-2024-10518
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 12 December 2024
Badges
Summary
The Paid Membership Plugin for WordPress versions prior to 4.15.15 contains a critical security flaw that fails to properly sanitize and escape certain Membership Plan settings. This oversight can enable high-privileged users, such as administrators, to execute Stored Cross-Site Scripting (XSS) attacks, even in environments where the unfiltered_html capability is restricted, such as multisite setups. This vulnerability can lead to significant security risks, including unauthorized access and data manipulation within WordPress sites.
Affected Version(s)
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content 0 < 4.15.15
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved