CVE-2024-1408 in ProfilePress Plugininfo

Summary

by MITRE • 02/29/2024

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping on user supplied attributes such as 'type'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-1408 affects the ProfilePress plugin for WordPress, specifically targeting versions up to and including 4.14.4. This plugin serves as a comprehensive membership management solution offering ecommerce capabilities, user registration forms, login functionality, user profiles, and content restriction features. The flaw resides within the edit-profile-text-box shortcode implementation, which processes user-supplied attributes without adequate sanitization measures. Security researchers have classified this as a stored cross-site scripting vulnerability, meaning malicious scripts can be permanently stored on the server and executed whenever affected pages are accessed by unsuspecting users. The vulnerability's impact is particularly concerning given that it requires only contributor-level permissions or higher to exploit, making it accessible to users who should normally have restricted capabilities within the WordPress ecosystem. This privileged access requirement does not mitigate the severity of the flaw, as contributors and higher roles typically have access to significant portions of the site's functionality and user data.

The technical root cause of this vulnerability stems from insufficient input validation and output escaping mechanisms within the plugin's shortcode processing logic. When administrators or authorized users create or modify content using the edit-profile-text-box shortcode, the plugin fails to properly sanitize the 'type' attribute and other user-supplied parameters before storing them in the database. This lack of proper sanitization creates a persistent XSS vector where malicious scripts can be embedded and stored indefinitely. The vulnerability operates through the standard XSS attack pattern where an attacker injects malicious JavaScript code through the vulnerable parameter, which then gets executed in the context of other users' browsers when they view pages containing the compromised content. The stored nature of this vulnerability means that the malicious payload persists even after the initial injection, making it particularly dangerous as it can affect multiple users over time without requiring repeated exploitation attempts. This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and represents a classic case of insufficient output escaping in dynamic content generation.

The operational impact of CVE-2024-1408 extends beyond simple script execution, potentially enabling attackers to perform a wide range of malicious activities within the compromised WordPress environment. An attacker with contributor privileges could leverage this vulnerability to steal session cookies, redirect users to phishing sites, deface the website, or even escalate privileges within the WordPress installation. The ability to execute arbitrary scripts in the context of authenticated users' browsers opens pathways for more sophisticated attacks including credential theft, data exfiltration, and potential lateral movement within the compromised network. The vulnerability's accessibility to contributor-level users means that even relatively low-privilege accounts can pose significant threats to the entire website and its user base. Furthermore, the stored nature of the vulnerability means that the impact is cumulative, with each successful injection potentially affecting multiple users over time, and the malicious code could be used to establish persistent backdoors or command and control channels. The attack vector through the edit-profile-text-box shortcode suggests that content management activities within the plugin could be exploited, making the vulnerability particularly insidious as it leverages legitimate administrative functions.

Organizations and WordPress administrators should prioritize immediate remediation of this vulnerability by upgrading to a patched version of the ProfilePress plugin, as no reliable workarounds exist for this specific flaw. The vulnerability's classification as a stored XSS issue means that simply updating the plugin is insufficient if administrators have not thoroughly reviewed existing content for malicious injections that may have already occurred. Security teams should conduct comprehensive audits of all user-generated content within the plugin's scope, particularly focusing on profile-related data and custom fields that might have been compromised. Implementing additional security measures such as content security policies, enhanced input validation at the WordPress level, and regular security scanning of user-generated content can provide additional layers of protection. The vulnerability also highlights the importance of principle of least privilege in WordPress environments, as limiting contributor-level permissions to only necessary functions can reduce the attack surface. Organizations should consider implementing web application firewalls and monitoring systems that can detect and prevent suspicious shortcode usage patterns, particularly those involving potentially dangerous attributes like 'type'. According to ATT&CK framework, this vulnerability maps to T1566.001 (Phishing: Spearphishing Attachment) and T1548.002 (Abuse of Cloud Infrastructure) as attackers could leverage the compromised environment for further malicious activities. Regular security assessments and keeping all WordPress plugins updated remain critical defensive measures against similar vulnerabilities that may exist in the broader WordPress ecosystem.

Responsible

Wordfence

Reservation

02/09/2024

Disclosure

02/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00598

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!