CVE-2024-2765 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2024-2765?

CVE-2024-2765 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows authenticated WordPress users with subscriber-level access or higher to inject malicious scripts into Skype and Spotify URL fields in the Ultimate Member plugin. The scripts are stored and execute automatically when other users view affected profile pages. All WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

This vulnerability allows authenticated WordPress users with subscriber-level access or higher to inject malicious scripts into Skype and Spotify URL fields in the Ultimate Member plugin. The scripts are stored and execute automatically when other users view affected profile pages. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress

Versions: All versions up to and including 2.8.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Ultimate Member plugin enabled. Vulnerability is present in default configuration.

📦 What is this software?

Ultimate Member by Ultimatemember

View all CVEs affecting Ultimate Member →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of users, or deploy malware to site visitors.

🟠

Likely Case

Attackers with subscriber accounts inject malicious scripts that execute when administrators or other users view their profiles, potentially leading to account compromise or data theft.

🟢

If Mitigated

With proper input validation and output escaping, malicious scripts would be neutralized before execution, preventing any impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access (subscriber role or higher). Public proof-of-concept exists in GitHub pull request #1491.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.5 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3067953%40ultimate-member&new=3067953%40ultimate-member&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate Member plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.8.5+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable Skype and Spotify Fields

all

Remove or disable the vulnerable Skype and Spotify URL fields from user profiles to prevent injection.

Navigate to Ultimate Member → Settings → General → Users → disable 'Skype ID' and 'Spotify URL' fields

Restrict User Roles

all

Temporarily restrict subscriber-level users from editing profile fields containing URLs.

Use WordPress role management plugins to modify subscriber capabilities

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in Skype and Spotify parameters.
Monitor and audit user profile modifications for suspicious script injections.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Ultimate Member → Version. If version is 2.8.4 or lower, you are vulnerable.

Check Version:

wp plugin list --name='ultimate-member' --field=version

Verify Fix Applied:

After updating, verify plugin version shows 2.8.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to user profile fields containing Skype or Spotify URLs
Multiple failed XSS attempts in web server logs

Network Indicators:

Outbound connections to suspicious domains from your WordPress site
Unexpected JavaScript payloads in HTTP requests

SIEM Query:

source="wordpress.log" AND ("skype" OR "spotify") AND ("script" OR "javascript" OR "onerror" OR "onload")

📊 Metadata

CVE ID: CVE-2024-2765

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

Published: May 2, 2024

Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2765, you might also want to check these: