Critical Cross-Site Scripting Vulnerability Detected in WordPress WP-Members Membership Plugin

by | Apr 3, 2024 | News

Post Views: 451

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Security researchers from Defiant’s Wordfence research team have uncovered a critical cross-site scripting (XXS) vulnerability within the widely-used WordPress WP-Members Membership plugin. This vulnerability, if exploited, could facilitate malicious script injection, posing a significant threat to over 60,000 WordPress websites currently utilizing the plugin.

Reported to Wordfence by WordPress developer Webbernaut as part of the company’s Bug Bounty Extravaganza, the unauthenticated stored cross-site scripting vulnerability allows threat actors to inject arbitrary JavaScript through the X-Forwarded-For header utilized by the plugin for logging purposes. When viewed by an administrator, the injected code executes within the administrator’s browser session, potentially leading to the creation of malicious administrator users and unauthorized changes to the affected site’s settings, culminating in a complete site takeover.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

The flaw affects all versions of the WP-Members Membership plugin up to and including 3.4.9.2, stemming from insufficient input sanitization and output escaping. Despite a partial patch in version 3.4.9.2, the vulnerability remains fully exploitable until version 3.4.9.3, which provides comprehensive mitigation measures.

Exploitation

Exploiting this XSS vulnerability entails intercepting a registration request, modifying it to include a malicious payload enclosed in script tags within the X-Forwarded-For header, and submitting it via a proxy. Consequently, the injected script executes whenever a user accesses the manipulated page, facilitating the creation of user accounts with attacker-provided details.

Trending: Understanding PTaaS and SOC

The plugin’s reliance on the vulnerable rktgk_get_user_ip function exacerbates the issue. This function fails to adequately sanitize input, allowing attackers to manipulate HTTP headers and store malicious web scripts as user IP addresses. Upon an administrator’s interaction with the affected user account, the injected JavaScript is executed within the administrator’s browser session, enabling a range of malicious actions, including the creation of additional compromised accounts and unauthorized redirection of site visitors.

Wordfence emphasizes the severity of this vulnerability, cautioning website administrators against the potential ramifications of exploitation. Immediate action is advised to update the WP-Members Membership plugin to version 3.4.9.3 or implement suitable mitigation measures to safeguard against potential compromise and ensure the integrity of WordPress websites.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: securityaffairs.com

Source Link