ThreatPress

WordPress Vulnerabilities Database

Back

WordPress WP Membership Plugin 1.2.3 - Multiple Vulnerabilities

Product
WP Membership
Description
There are multiple vulnerabilities in this WordPress Membership plugin. 1. Privilege escalation. Because of this vulnerability, an attacker can take administrative role to the infected website via "iv_membership_update_user_settings" AJAX action. 2. Stored XSS allows an attacker to login as regular user and update any field of the profile. 3. Unauthorized post publish and stored XSS vulnerabilities allow an attacker to publish posts without any administrator permission.
Solution
Upgrade the plugin.
Classification
Type Multi
References
Exploit-DB
CVE
Name CVE-2015-4038
Versions
Affected In <= 1.2.3
Fixed In 1.2.4
Disclosure date
2015-05-21
Credits
Panagiotis Vagenas