CVE-2024-1852

Name of the Vulnerable Software and Affected Versions WP-Members Membership Plugin versions prior to 3.4.9.3

Description The WP-Members Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, specifically the edit users page.

Recommendations For versions prior to 3.4.9.3, update to version 3.4.9.3 to fully patch the vulnerability. As a temporary workaround, consider restricting access to the edit users page to minimize the risk of exploitation. Additionally, ensure proper input sanitization and output escaping to prevent similar issues in the future.