CVE-2024-10517 in Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content Plugininfo

Summary

by MITRE • 12/12/2024

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2024-10517 affects the Paid Membership Plugin for WordPress, specifically versions prior to 4.15.15. This plugin provides comprehensive membership management functionality including ecommerce capabilities, user registration forms, login forms, user profiles, and content restriction features. The issue stems from inadequate input sanitization and output escaping within the plugin's Drag & Drop Builder interface, creating a critical security gap that can be exploited by users with administrative privileges.

The technical flaw resides in the plugin's handling of user inputs within its visual builder component where drag and drop functionality is implemented. When high-privilege users such as administrators interact with the builder interface, the plugin fails to properly sanitize or escape certain field values before they are stored in the database and subsequently rendered in the user interface. This oversight creates a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into the plugin's configuration fields. The vulnerability is particularly concerning because it can be exploited even in environments where the unfiltered_html capability has been explicitly restricted, such as in multisite WordPress installations where security hardening measures are typically enforced.

The operational impact of this vulnerability extends beyond simple XSS attacks as it provides a persistent attack vector that can compromise the entire WordPress installation. An attacker with administrative access can inject malicious JavaScript code that executes whenever the affected plugin interface is accessed, potentially leading to session hijacking, data exfiltration, or privilege escalation within the WordPress environment. The stored nature of this vulnerability means that the malicious payloads persist even after the initial injection, making detection and remediation more challenging. This vulnerability can be particularly dangerous in multisite environments where administrators may have broader access controls and where the attack surface is expanded across multiple sites within the network.

Mitigation strategies for this vulnerability should focus on immediate plugin updates to version 4.15.15 or later, which includes proper input sanitization and output escaping mechanisms. Administrators should also implement additional security measures such as regular security audits of plugin configurations, monitoring of user activity within the admin interface, and implementation of web application firewalls to detect and block suspicious script injections. The vulnerability aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws, and may be categorized under ATT&CK technique T1548.001 for privilege escalation through the exploitation of administrative capabilities. Organizations should also consider implementing least privilege principles and regular security assessments to prevent similar vulnerabilities from being introduced through third-party plugins in their WordPress environments.

Responsible

WPScan

Reservation

10/29/2024

Disclosure

12/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00340

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!