CVE-2024-1852 – The WP-Members Membership Plugin for WordPress ... (How to Fix)

Q: What is the severity of CVE-2024-1852?

CVE-2024-1852 has a CVSS score of 7.2 (HIGH). The WP-Members Membership Plugin for WordPress has a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For header. These scripts execute when administrators access the user edit page, potentially compromising admin accounts. All WordPress sites using WP-Members plugin versions up to 3.4.9.2 are affected.

📋 TL;DR

The WP-Members Membership Plugin for WordPress has a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For header. These scripts execute when administrators access the user edit page, potentially compromising admin accounts. All WordPress sites using WP-Members plugin versions up to 3.4.9.2 are affected.

💻 Affected Systems

Products:

WP-Members Membership Plugin for WordPress

Versions: All versions up to and including 3.4.9.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the WP-Members plugin active. The vulnerability requires attackers to have network access to send HTTP requests with malicious X-Forwarded-For headers.

📦 What is this software?

Wp Members by Butlerblog

View all CVEs affecting Wp Members →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full WordPress admin access, install backdoors, deface websites, or pivot to attack other systems.

🟠

Likely Case

Attackers steal admin credentials or session tokens, then modify site content, install malicious plugins, or redirect users to phishing sites.

🟢

If Mitigated

With proper web application firewalls and input validation, the attack would be blocked before reaching the vulnerable plugin code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in header processing code, making exploitation straightforward for attackers who can send HTTP requests to the WordPress site.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.9.3

Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/class-wp-members-user-profile.php#L566

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP-Members Membership Plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.4.9.3+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or sanitize X-Forwarded-For headers at the WAF or reverse proxy level

# Example ModSecurity rule:
SecRule REQUEST_HEADERS:X-Forwarded-For "@rx [<>"'()]" "id:1001,phase:1,deny,status:403,msg:'XSS attempt in X-Forwarded-For header'"
# Nginx configuration:
proxy_set_header X-Forwarded-For $remote_addr;

Temporary Plugin Deactivation

linux

Disable the WP-Members plugin until patched

wp plugin deactivate wp-members

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules to block malicious X-Forwarded-For headers
Restrict access to WordPress admin pages to trusted IP addresses only using .htaccess or server configuration

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for WP-Members version. If version is 3.4.9.2 or lower, the site is vulnerable.

Check Version:

wp plugin list --name=wp-members --field=version

Verify Fix Applied:

Verify WP-Members plugin version is 3.4.9.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual X-Forwarded-For header values containing script tags or JavaScript in WordPress logs
Multiple failed login attempts followed by successful admin login from new IP

Network Indicators:

HTTP requests with X-Forwarded-For headers containing script tags or JavaScript payloads
Unusual outbound connections from WordPress server after admin login

SIEM Query:

source="wordpress.log" AND "X-Forwarded-For" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=")

📊 Metadata

CVE ID: CVE-2024-1852

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: April 9, 2024

Last Updated: May 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1852, you might also want to check these: