CVE-2024-2867
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts via the 'title' parameter in the ProfilePress plugin. The scripts are stored and execute when other users view affected pages, potentially compromising their browsers. All WordPress sites using ProfilePress versions up to 4.15.4 are affected.
💻 Affected Systems
- ProfilePress (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content)
📦 What is this software?
Profilepress by Properfraction
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of users, or deploy malware through the compromised WordPress site.
Likely Case
Attackers with contributor accounts inject malicious scripts that steal user credentials or session tokens when visitors view affected pages.
If Mitigated
With proper input validation and output escaping, the vulnerability is eliminated, preventing script injection entirely.
🎯 Exploit Status
Exploitation requires authenticated access (contributor role or higher). The vulnerability is straightforward to exploit once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.15.5
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find ProfilePress and click 'Update Now' if available. 4. Alternatively, download version 4.15.5+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict contributor-level access to prevent exploitation while patching.
Disable ProfilePress Plugin
linuxTemporarily deactivate the plugin until patched.
wp plugin deactivate wp-user-avatar
🧯 If You Can't Patch
- Implement strict access controls: limit contributor accounts to trusted users only and monitor their activity.
- Deploy a web application firewall (WAF) with XSS protection rules to block malicious script injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check ProfilePress plugin version in WordPress admin under Plugins > Installed Plugins. If version is 4.15.4 or lower, the site is vulnerable.Check Version:
wp plugin get wp-user-avatar --field=versionVerify Fix Applied:
After updating, confirm the plugin version shows 4.15.5 or higher in the WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to ProfilePress endpoints with script tags in 'title' parameter
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress server following page views
SIEM Query:
source="wordpress.log" AND "title=" AND ("<script>" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3061186%40wp-user-avatar%2Ftrunk&old=3053353%40wp-user-avatar%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4eb296af-547a-44aa-b804-833204b75256?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3061186%40wp-user-avatar%2Ftrunk&old=3053353%40wp-user-avatar%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4eb296af-547a-44aa-b804-833204b75256?source=cve
