MembershipWorks WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the MembershipWorks – Membership, Events & Directory plugin for WordPress, affecting all versions through 6.14. The issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with administrator-level permissions to inject arbitrary scripts. This vulnerability is executed when a user accesses an affected page. It specifically impacts multi-site installations where unfiltered_html has been disabled.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an administrator must inject a malicious script into one of the message fields that the plugin outputs without proper escaping. After saving the changes, the administrator can create a post with the '[memberonly]' shortcode. When a non-member visitor accesses the post, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update the MembershipWorks WordPress plugin to version 6.15 or later.