WP eMember <= v10.7.0 - Stored XSS via CSRF

Vulnerability

The wp-eMember WordPress plugin before version 10.7.0 lacks CSRF checks in some administrative functions and fails to sanitize and escape user input. This allows an attacker to craft a cross-site request forgery (CSRF) payload that, when executed by a logged-in administrator, injects malicious JavaScript into the site's database, leading to stored cross-site scripting (XSS). The vulnerable code is present in the plugin's admin-facing components that handle member management or configuration [1].

Exploitation

An attacker needs to trick a logged-in WordPress administrator with sufficient privileges (e.g., admin) into visiting a malicious link or page. The attacker crafts a CSRF request that submits a form or triggers an AJAX call to the vulnerable plugin endpoint, including a payload containing unescaped JavaScript. Since the plugin lacks CSRF nonces, the admin's browser will execute the request. The payload is stored in the WordPress database (e.g., as a member profile field or plugin setting) and will be rendered on subsequent page loads without proper escaping, causing the stored XSS to fire [1].

Impact

Successful exploitation results in persistent JavaScript execution in the context of the WordPress admin dashboard or any user-facing pages where the injected payload is displayed. An attacker can steal session cookies, perform actions on behalf of the admin, deface the site, or redirect users to malicious domains. The impact is limited by the need for admin interaction, but the stored payload can affect multiple victims [1].

Mitigation

The vulnerability is fixed in version 10.7.0 of the wp-eMember plugin, released on 2024-07-15. Administrators should update to this version or later. No official workaround has been provided; disabling the plugin until updated is a temporary measure. There is no evidence that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].