CVE-2024-10518

CVSS 3.1 Score 4.8 of 10 (medium)

Details

Published Dec 12, 2024

Summary

CVE-2024-10518 is a stored cross-site scripting (XSS) vulnerability affecting the Paid Membership Plugin for WordPress. This issue, present in versions below 4.15.15, allows high privilege users, including admins, to inject malicious scripts into Membership Plan settings. The plugin fails to sanitize and escape these settings, enabling attackers to execute scripts even when the unfiltered_html capability is disabled, posing a serious security risk in multisite setups.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share