CVE-2024-1409 in Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content Plugininfo

Summary

by MITRE • 03/13/2024

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all versions up to, and including, 4.15.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-1409 affects the ProfilePress WordPress plugin, a comprehensive membership management solution that handles user registration, login, profile management, and content restriction functionalities. This plugin serves as a critical component for WordPress websites implementing user access controls and membership-based content delivery. The vulnerability specifically resides within the [reg-select-role] shortcode functionality, which allows administrators to create registration forms with role selection capabilities. The flaw represents a significant security risk as it affects all versions up to and including 4.15.0, indicating a widespread exposure across numerous installations. The vulnerability is classified as a stored cross-site scripting issue, meaning malicious scripts are permanently stored on the server and executed whenever affected pages are accessed, rather than being reflected in HTTP responses.

The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode processing logic. When administrators use the [reg-select-role] shortcode, the plugin fails to properly validate or sanitize user-supplied attributes before storing them in the database. This insufficient sanitization creates an opening for attackers to inject malicious JavaScript code through attributes that are meant to define role selection parameters. The vulnerability is particularly concerning because it requires only contributor-level permissions or higher, making it accessible to users who typically have limited administrative capabilities. This low privilege requirement significantly expands the potential attack surface, as contributors and higher-level users often have access to the WordPress admin interface and can modify content or plugin settings.

The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to manipulate user experiences and potentially exfiltrate sensitive information. Authenticated attackers with contributor permissions can inject scripts that execute in the context of other users' browsers, potentially allowing for session hijacking, credential theft, or data manipulation. The stored nature of the vulnerability means that once injected, malicious scripts persist indefinitely until manually removed, creating a long-term threat vector. This type of vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws, and represents a clear violation of secure coding practices that require proper input validation and output escaping. The attack vector is particularly dangerous because it leverages legitimate plugin functionality, making malicious activity harder to distinguish from normal user behavior.

Mitigation strategies for this vulnerability must address both immediate remediation and long-term security improvements. The primary recommendation involves upgrading to the latest version of the ProfilePress plugin where this vulnerability has been patched. Organizations should implement comprehensive monitoring of their WordPress installations to detect unauthorized shortcode modifications or suspicious user activities. Security hardening measures should include restricting contributor-level permissions to only essential functions, implementing additional input validation at the WordPress level, and conducting regular security audits of plugin configurations. From an ATT&CK framework perspective, this vulnerability maps to T1546.001 (Event Triggered Execution: Change in File Creation/Modification) and T1059.001 (Command and Scripting Interpreter: Visual Basic), as attackers may modify plugin files or create malicious scripts to exploit the stored XSS. Additionally, implementing Content Security Policy headers and regular security scanning of WordPress installations can provide additional layers of protection against exploitation attempts.

Responsible

Wordfence

Reservation

02/09/2024

Disclosure

03/13/2024

Moderation

accepted

CPE

ready

EPSS

0.00443

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!