Ultimate Membership Pro Vulnerable to Reflected XSS
CVE-2024-43241

7.1HIGH

Key Information:

Vendor: WordPress
Status: Ultimate Membership Pro
Vendor: CVE Published:; 18 August 2024

Summary

A reflected Cross-site Scripting (XSS) vulnerability has been identified in the Ultimate Membership Pro plugin by Azzaroco, impacting all versions up to 12.6. This vulnerability arises from improper neutralization of user input during the web page generation process. Attackers can exploit this flaw to inject malicious scripts into web pages viewed by users, potentially leading to unauthorized actions being taken on behalf of the user, data theft, or compromised sessions. It is essential for users of the Ultimate Membership Pro plugin to evaluate their exposure to this vulnerability and implement necessary mitigations.

Affected Version(s)

Ultimate Membership Pro <= 12.6

References

https://patchstack.com/database/vulnerability/indeed-memb...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 18, 2024
Vulnerability Reserved
Aug 9, 2024

Credit

Rafie Muhammad (Patchstack)