CVE-2024-10518

Name of the Vulnerable Software and Affected Versions Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin versions prior to 4.15.15

Description The issue concerns the Paid Membership Plugin's failure to sanitise and escape some of its Membership Plan settings, potentially allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks. This vulnerability can be exploited even when the unfiltered html capability is disallowed, for example, in a multisite setup.

Recommendations For versions prior to 4.15.15, update to version 4.15.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the Membership Plan settings to minimize the risk of exploitation. Additionally, restrict the use of the unfiltered html capability to prevent potential attacks.