CVE-2024-10518 in Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content Plugin
Summary
by MITRE • 12/12/2024
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2024-10518 affects the Paid Membership Plugin for WordPress, a widely used solution for managing user registration forms, login functionality, user profiles, and content restriction across WordPress sites. This plugin serves as a critical component in many WordPress installations, particularly those requiring membership management and ecommerce functionality. The flaw exists in versions prior to 4.15.15, making it a significant concern for administrators who have not yet updated their installations. The vulnerability specifically targets the plugin's handling of Membership Plan settings, where insufficient sanitization and escaping of user input creates a pathway for malicious code execution.
The technical nature of this vulnerability stems from the plugin's failure to properly sanitize and escape user-provided data within its Membership Plan configuration settings. When high-privilege users such as administrators interact with these settings, they can inject malicious scripts that persist within the application's database. This stored cross-site scripting vulnerability operates even when the WordPress environment has restricted the unfiltered_html capability, which is a standard security measure in multisite configurations. The vulnerability essentially bypasses WordPress's built-in security mechanisms that are designed to prevent untrusted users from executing potentially harmful code within the application's administrative interfaces.
The operational impact of this vulnerability is particularly severe given that it affects administrative users who typically have the highest privileges within a WordPress installation. An attacker who can compromise an administrator account or gain access to a high-privilege user role can execute persistent XSS attacks that can affect other administrators or site visitors. The vulnerability's persistence means that malicious scripts remain active until manually removed from the plugin's settings, potentially allowing for session hijacking, credential theft, or further compromise of the WordPress installation. In multisite environments, where unfiltered_html is often restricted by default, this vulnerability becomes even more dangerous as it can bypass these security restrictions.
This vulnerability maps directly to CWE-79, which describes Cross-Site Scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through malicious web content. The weakness specifically manifests in the plugin's data handling practices where input validation and output escaping are insufficient. The vulnerability's exploitation requires an attacker to have administrative privileges or access to a high-privilege user account, but once exploited, it can provide persistent access to the WordPress administration interface. Organizations using this plugin in multisite configurations are particularly at risk as the vulnerability can be leveraged to maintain access even when standard security measures are in place.
The recommended mitigation strategy involves immediate upgrading to version 4.15.15 or later of the Paid Membership Plugin, which includes proper sanitization and escaping of user input within Membership Plan settings. Administrators should also implement additional security measures such as regular security audits, monitoring of administrative user activities, and ensuring that only trusted individuals have access to administrative accounts. Organizations should consider implementing additional layers of security such as web application firewalls and regular vulnerability scanning to detect potential exploitation attempts. The vulnerability highlights the importance of proper input validation and output escaping in web applications, particularly those handling user-provided configuration data that can affect the entire application's security posture.