CVE-2024-13121

Name of the Vulnerable Software and Affected Versions Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin versions prior to 4.15.20

Description The issue concerns the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin, which does not properly sanitise and escape some of its settings. This could allow high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup.

Recommendations For versions prior to 4.15.20, update to version 4.15.20 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable settings until a patch is applied. Avoid using the unfiltered html capability in multisite setups to minimize the risk of exploitation.