CVE-2024-13120
📋 TL;DR
This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress sites using the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content plugin. The attack works even when unfiltered_html capability is disabled, particularly in multisite configurations.
💻 Affected Systems
- Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin
📦 What is this software?
Profilepress by Properfraction
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users across the entire WordPress site.
Likely Case
Malicious administrator or compromised admin account injects JavaScript payloads that affect other administrators or users viewing plugin settings pages, potentially leading to credential theft or site defacement.
If Mitigated
With proper access controls and admin account security, impact is limited to authorized administrators who would need to intentionally exploit their own privileges.
🎯 Exploit Status
Exploitation requires administrative access. Attack involves injecting JavaScript into plugin settings fields that lack proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.15.20
Vendor Advisory: https://wpscan.com/vulnerability/5b70798c-c30d-42e6-ac72-821c5568b9b5/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content'. 4. Click 'Update Now' if available. 5. If manual update needed, download version 4.15.20+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the plugin until patched
wp plugin deactivate paid-membership-pro
wp plugin delete paid-membership-pro
Restrict admin access
allLimit administrative accounts to trusted users only and implement strong authentication
🧯 If You Can't Patch
- Implement strict access controls for WordPress administrator accounts
- Monitor plugin settings pages for suspicious JavaScript content
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. Look for version number below 4.15.20.Check Version:
wp plugin get paid-membership-pro --field=versionVerify Fix Applied:
Confirm plugin version is 4.15.20 or higher after update. Test by attempting to inject script tags in plugin settings fields (in test environment).📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to plugin settings by admin users
- JavaScript payloads in plugin option database entries
Network Indicators:
- External script loads from plugin settings pages
- Unexpected outbound connections from admin interface
SIEM Query:
source="wordpress" AND (event="plugin_settings_update" AND plugin="paid-membership-pro") AND (data CONTAINS "<script>" OR data CONTAINS "javascript:")