Cloud Security, Application security, Third-party code

Arbitrary script injections possible with WP-Members plugin flaw

Stickers, buttons and pencils with the WordPress logo are seen in a pile.

More than 60,000 WordPress sites with the WP-Members Membership Plugin could be compromised with arbitrary script injections due to a high-severity cross-site scripting vulnerability, tracked as CVE-2024-1852, reports SecurityWeek.

Threat actors could exploit the WordPress plugin's user registration feature to facilitate the creation and interception of a registration form, which would be later modified to include an X-Forwarded-For header containing a malicious payload, according to a Wordfence alert. With HTTP headers enabling alterations without a sanitized input, inputting any value with a malicious script will prompt its storage in the user profile and later execution in the page's source code, noted Wordfence researchers.

"It is important to understand that this malicious code will be executed in the context of an administrator’s browser session and can be used to create malicious user accounts, redirect site visitors to other malicious sites, and perform other malicious actions," said Wordfence, which urged the immediate application of WP-Members Membership version to address the security issue.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.