CVE-2024-13120

Name of the Vulnerable Software and Affected Versions Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content versions prior to 4.15.20

Description The issue concerns the Paid Membership Plugin for WordPress, where versions prior to 4.15.20 do not properly sanitise and escape some of its settings. This could allow high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks, even in scenarios where the unfiltered html capability is disallowed, like in multisite setups.

Recommendations For versions prior to 4.15.20, update to version 4.15.20 or later to resolve the issue. As a temporary workaround, consider restricting administrative access to trusted users only until the update can be applied. Additionally, review and monitor the plugin's settings and user inputs closely to minimize the risk of exploitation.