Login Sign Up

CVE-2024-5715

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability in the wp-eMember WordPress plugin allows attackers to inject malicious scripts via unsanitized parameters, which are then reflected back in pages. It primarily targets high-privilege users like administrators who might access crafted malicious links. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • wp-eMember WordPress Plugin
Versions: Versions before 10.6.7
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

📦 What is this software?

Wp Emember by Tipsandtricks Hq

View all CVEs affecting Wp Emember →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, perform actions as the administrator (like installing backdoors), or redirect users to malicious sites, potentially leading to complete site compromise.

🟠

Likely Case

Attackers craft malicious links containing XSS payloads and trick administrators into clicking them, leading to session hijacking or limited unauthorized actions.

🟢

If Mitigated

With proper input validation and output escaping, the attack fails, and no impact occurs beyond failed exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires tricking a user into clicking a malicious link; no authentication is needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.6.7

Vendor Advisory: https://wpscan.com/vulnerability/d86bc001-51ae-4dcc-869b-80c91251cc2e/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find wp-eMember and update to version 10.6.7 or later. 4. Verify the update completes successfully.

🔧 Temporary Workarounds

Disable the wp-eMember Plugin

all

Temporarily deactivate the plugin to prevent exploitation until patching is possible.

wp plugin deactivate wp-eMember

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious requests.
  • Educate users, especially administrators, to avoid clicking suspicious links and enable Content Security Policy (CSP) headers.

🔍 How to Verify

Check if Vulnerable:

Check the wp-eMember plugin version in WordPress admin under Plugins > Installed Plugins; if version is below 10.6.7, it is vulnerable.

Check Version:

wp plugin get wp-eMember --field=version

Verify Fix Applied:

After updating, confirm the plugin version is 10.6.7 or higher in the WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET or POST requests to wp-eMember endpoints with script tags or JavaScript payloads in parameters.
  • 404 errors or suspicious activity logs related to the plugin.

Network Indicators:

  • HTTP requests containing malicious script payloads in query strings targeting wp-eMember URLs.

SIEM Query:

source="web_logs" AND (uri="*wp-eMember*" AND (query="*<script>*" OR query="*javascript:*"))

📊 Metadata

CVE ID: CVE-2024-5715
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: July 13, 2024
Last Updated: May 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5715, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)