A high-severity vulnerability in the Ultimate Member plugin can be exploited to inject malicious scripts into WordPress sites, the Wordfence team at WordPress security firm Defiant warns.
Tracked as CVE-2024-2123, the vulnerability is described as a stored cross-site scripting issue via several parameters, allowing attackers to inject web scripts into a site's pages, to be executed whenever those pages are loaded.
The flaw, Wordfence explains, exists because of insufficient input sanitization and output escaping.
An insecure implementation of the plugin's members directory list functionality enables unauthenticated attackers to inject web scripts.
Typically, XSS flaws such as CVE-2024-2123 can be exploited to inject code to create new administrative accounts, redirect visitors to malicious sites, or inject backdoors, Wordfence notes.
The security defect was submitted via the Wordfence bug bounty program on February 28.
The plugin's developers were informed of the bug on March 2 and a patch was released on March 6.
The flaw impacts Ultimate Member versions 2.8.3 and prior.
Users are advised to update to Ultimate Member 2.8.4 as soon as possible.
A user profile and membership WordPress plugin supporting user registration, logins, profiles, and more, Ultimate Member has more than 200,000 active installations.
According to WordPress' statistics, the plugin has been downloaded roughly 100,000 times over the past seven days, suggesting that half of its users remain vulnerable to CVE-2024-2123.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 11 Mar 2024 15:43:07 +0000