Security firm Defiant has issued an advisory highlighting a severe cross-site scripting (XSS) vulnerability within the WP-Members Membership WordPress plugin, identified as CVE-2024-1852. This vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to inject arbitrary scripts into web pages. By exploiting this flaw, attackers can manipulate the plugin’s user registration functionality to store malicious scripts, potentially compromising administrator browser sessions and leading to various malicious activities.
The vulnerability allows attackers to create user accounts containing malicious scripts masquerading as the user’s IP address. Attackers exploit the plugin’s reliance on the X-Forwarded-For header in registration requests, manipulating it to include a malicious payload enclosed in script tags. Consequently, the injected scripts are stored in the user’s profile and executed within the context of an administrator’s browser session when viewing or editing the user account, posing significant security risks.
Defiant’s Wordfence research team emphasizes the importance of promptly updating WP-Members Membership to version 3.4.9.3 or higher, as earlier versions include only partial fixes. With over 60,000 active installations, WP-Members is a widely used plugin enabling site owners to manage user registration, logins, profiles, and access restrictions. Users are strongly advised to take immediate action to mitigate the vulnerability and safeguard their websites against potential exploitation by malicious actors.
