Arbitrary script injections possible with WP-Members plugin flaw

More than 60,000 WordPress sites with the WP-Members Membership Plugin could be compromised with arbitrary script injections due to a high-severity cross-site scripting vulnerability, tracked as CVE-2024-1852, reports SecurityWeek.

Threat actors could exploit the WordPress plugin's user registration feature to facilitate the creation and interception of a registration form, which would be later modified to include an X-Forwarded-For header containing a malicious payload, according to a Wordfence alert. With HTTP headers enabling alterations without a sanitized input, inputting any value with a malicious script will prompt its storage in the user profile and later execution in the page's source code, noted Wordfence researchers.

"It is important to understand that this malicious code will be executed in the context of an administrator’s browser session and can be used to create malicious user accounts, redirect site visitors to other malicious sites, and perform other malicious actions," said Wordfence, which urged the immediate application of WP-Members Membership version 3.4.9.3 to address the security issue.