CVE-2024-10517

Name of the Vulnerable Software and Affected Versions Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin versions prior to 4.15.15

Description The issue concerns the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin, where some of its Drag & Drop Builder fields are not properly sanitized and escaped. This could allow high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup.

Recommendations For versions prior to 4.15.15, update to version 4.15.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the Drag & Drop Builder fields to minimize the risk of exploitation. Additionally, ensure that the unfiltered html capability is properly configured and disallowed for non-administrative users to reduce the attack surface.