CVE-2024-10164 in Premium Packages Plugin
Summary
by MITRE • 11/21/2024
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdmpp_pay_link shortcode in all versions up to, and including, 5.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/23/2025
The vulnerability identified as CVE-2024-10164 affects the Premium Packages – Sell Digital Products Securely plugin for WordPress, representing a critical security flaw that undermines the integrity of web applications built on this platform. This issue specifically targets the wpdmpp_pay_link shortcode functionality within the plugin, which has been found to be susceptible to stored cross-site scripting attacks across all versions up to and including 5.9.3. The flaw exists due to inadequate input sanitization mechanisms and insufficient output escaping procedures that fail to properly validate or sanitize user-supplied attributes before processing them within the application's execution context.
The technical nature of this vulnerability stems from the plugin's failure to implement proper security controls when handling user input through shortcode attributes. When authenticated users with contributor-level access or higher submit content containing malicious script code through the wpdmpp_pay_link shortcode, the system stores this input without adequate sanitization measures. This stored malicious content then gets executed whenever any user accesses a page containing the injected script, creating a persistent threat vector that can affect multiple users within the WordPress environment. The vulnerability operates under CWE-79 which specifically addresses Cross-Site Scripting flaws, and aligns with ATT&CK technique T1566.001 which covers Phishing with Social Engineering.
From an operational standpoint, this vulnerability presents significant risks to WordPress installations utilizing the affected plugin, as it allows attackers with relatively low privileges to compromise the security of entire sites. Contributors and above typically have sufficient access to modify content and create pages, making this attack vector particularly dangerous since it requires minimal elevation of privileges to exploit. The stored nature of the XSS vulnerability means that once injected, malicious scripts persist in the system and execute automatically for any user who views affected pages, potentially leading to session hijacking, data theft, or further compromise of the WordPress environment. This vulnerability can be exploited to redirect users to malicious sites, steal administrative credentials, or perform actions on behalf of authenticated users.
The mitigation strategy for this vulnerability requires immediate action from WordPress administrators to update the Premium Packages plugin to version 5.9.4 or later, where the sanitization and escaping mechanisms have been properly implemented. System administrators should also implement additional security measures including regular security audits of installed plugins, monitoring for unauthorized content modifications, and implementing content security policies to reduce the impact of potential exploitation. The fix addresses the core issue by introducing proper input validation and output escaping for all user-supplied attributes within the wpdmpp_pay_link shortcode, ensuring that any malicious scripts are neutralized before being stored or executed. Organizations should also consider implementing web application firewalls and regular security scanning to detect similar vulnerabilities in other installed components and maintain overall system security posture against evolving threats.