CVE-2024-11225
Description
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.9.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Premium Packages plugin for WordPress allows unauthenticated attackers to inject arbitrary scripts via crafted links.
Vulnerability
Overview
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in all versions up to and including 5.9.3. The flaw stems from the use of add_query_arg without proper escaping on URLs, allowing unauthenticated attackers to inject arbitrary web scripts [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link that, when clicked by a user, executes the injected script in the context of the user's browser. No authentication is required, and the attack only requires the victim to perform a simple action such as clicking a link.
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement of the affected WordPress site, or redirection to malicious sites.
Mitigation
As of the publication date, the vendor has not released a patched version. Users are advised to monitor the plugin's page [1] for updates and apply any security patches as soon as they become available. Until then, avoid clicking untrusted links that involve the plugin's functionality.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/wpdm-premium-packages/tags/5.9.3/includes/libs/functions.phpnvd
- plugins.trac.wordpress.org/browser/wpdm-premium-packages/tags/5.9.3/includes/libs/functions.phpnvd
- plugins.trac.wordpress.org/browser/wpdm-premium-packages/tags/5.9.3/includes/libs/functions.phpnvd
- plugins.trac.wordpress.org/changeset/3195568/wpdm-premium-packages/trunk/includes/libs/functions.phpnvd
- wordpress.org/plugins/wpdm-premium-packages/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a2e847fd-0932-4d65-a201-b86e39a33588nvd
News mentions
0No linked articles in our index yet.