Stored Cross-Site Scripting Vulnerability in Paid Membership Plugin by WordPress
CVE-2024-13119

4.8MEDIUM

Key Information:

Vendor: WordPress
Status: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content
Vendor: CVE Published:; 13 February 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Paid Membership Plugin for WordPress, specifically versions prior to 4.15.20, has a critical issue where it fails to properly sanitize and escape certain configuration settings. This oversight enables high-privilege users, including administrators, to execute Stored Cross-Site Scripting attacks, even in scenarios where the unfiltered_html capability is restricted, such as in multisite environments. Attackers could leverage this vulnerability to inject malicious scripts that can be executed in the context of other users.

Affected Version(s)

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content 0 < 4.15.20

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-13119 - Proof of Concept

References

https://wpscan.com/vulnerability/32600a45-a8cd-446c-9aa2-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Feb 13, 2025
👾
Exploit known to exist
Feb 13, 2025
Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Jan 1, 2025

Credit

Dmitrii Ignatyev

WPScan