CVE-2024-10517
📋 TL;DR
This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into Drag & Drop Builder fields, which then execute when other users view those pages. It affects WordPress sites using the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content plugin before version 4.15.15, particularly in multisite configurations where unfiltered_html capability is restricted.
💻 Affected Systems
- Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin
📦 What is this software?
Profilepress by Properfraction
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially compromising the entire WordPress site and user data.
Likely Case
Malicious administrators or compromised admin accounts could deface websites, inject cryptocurrency miners, or steal user credentials from other administrators and editors.
If Mitigated
With proper access controls and regular admin account monitoring, impact is limited to potential defacement or minor data leakage from users viewing injected content.
🎯 Exploit Status
Exploitation requires admin-level access. Attack involves injecting JavaScript into Drag & Drop Builder fields that persists in the database.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.15.15
Vendor Advisory: https://wpscan.com/vulnerability/f7c3a990-458e-4e15-b427-0b37de120740/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content'. 4. Click 'Update Now' if available, or manually update to version 4.15.15 or later. 5. Verify the plugin version in plugin details.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the vulnerable plugin until patched
wp plugin deactivate paid-membership-pro
wp plugin delete paid-membership-pro
Restrict admin access
allLimit admin accounts to trusted users only and implement multi-factor authentication
🧯 If You Can't Patch
- Restrict admin privileges to only essential trusted users
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins, find the plugin and verify version is below 4.15.15Check Version:
wp plugin get paid-membership-pro --field=versionVerify Fix Applied:
Confirm plugin version is 4.15.15 or higher in WordPress admin plugin details📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity modifying Drag & Drop Builder content
- JavaScript injection patterns in plugin database fields
Network Indicators:
- Unexpected external script loads from WordPress pages
- Suspicious redirects from plugin-generated pages
SIEM Query:
source="wordpress.log" AND ("drag and drop builder" OR "paid-membership-pro") AND ("update" OR "modify" OR "inject")