WP eMember < 10.6.6 - Stored XSS in Blacklist via CSRF

Vulnerability

The WP eMember WordPress plugin versions before 10.6.6 lack CSRF protection, input sanitisation, and output escaping in certain administrative features, specifically the blacklist functionality [1]. This makes the plugin susceptible to a stored cross-site scripting (XSS) attack that can be triggered through a CSRF request [1].

Exploitation

An attacker must first craft a malicious request that contains a JavaScript payload and lure an authenticated administrator into submitting it — for example, by clicking a crafted link or visiting a malicious page while logged into the WordPress admin [1]. No additional privileges beyond the logged-in admin session are required; the CSRF check deficiency allows the attacker to forge a request on behalf of the admin [1]. The stored payload becomes part of the plugin's blacklist settings and executes when the admin views the relevant page [1].

Impact

Successful exploitation results in stored XSS within the WordPress admin panel. The attacker can execute arbitrary JavaScript in the context of the admin's session, potentially leading to session hijacking, forced administrative actions, or further site compromise [1].

Mitigation

The vulnerability is fixed in version 10.6.6 of the WP eMember plugin [1]. All users should update to this version or later immediately. There is no published workaround for versions below 10.6.6 [1].