A security researcher reported a critical vulnerability in the WP-Members Membership Plugin that allows attackers to inject malicious scripts and potentially take over websites.
Administrators could take advantage of the unauthenticated stored XSS flaw that was present in the X-Forwarded header. To protect their users, researchers were rewarded for their responsible disclosure.Â
On March 7th, the plugin vendor released a partial patch (v3.4.9.2) and a full fix (v3.4.9.3) shortly after and upgraded to the latest version to mitigate the risk.
A critical vulnerability (CVSS: 7.2) exists in WordPress’s WP-Members Membership Plugin versions up to 3.4.9.2, which arises from insufficient sanitization and escaping of the X-Forwarded header.Â
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpHq2zeTRnakGBpUA2YHha8zn4arc3zc-jkTPIaTZk1FQl3HslP1X716nyIlA7HUPLHT079sx3zyM_n1HEeKRMCJq5-DLnmesq3FZ6oBuz-22K6sbDOIqh02Ou5c5J9crj7LyxWeMdumibu8-yNxt8MNmsvKZFh1MBLPgBIKFJ0EnGsSlRKIS0TXIwbMZh/s16000/Capture%20-%202024-04-03T151028.628.webp)
Malicious attackers can exploit this to inject arbitrary scripts into the database, which then execute whenever a user visits the edit user page.
While a partial fix was implemented in version 3.4.9.2, a complete resolution arrived only in version 3.4.9.3. Upgrading to the latest version is crucial to addressing this security risk.
Technical Analysis Of The Vulnerability:
An attacker can exploit a cross-site scripting vulnerability in WP-Members by injecting malicious code into the X-Forwarded header during user registration.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg868o8Jo9t9zVHCVqBbcMJIIbY4GgBCaCbg6M2U2_C_Hs1Ytu1F8u3OTn1JtGI03ZfuRKIFvFA189b8YaGKtszhYCwaa0YGvcHg2k_sFP5zjtVoJaIPL2JvwJJssf6iDOr-qqwaBMH1R1vDkxk6YrVcnpb9hTuS1_d5K9oDdtfCeotSTWS1yQczDLgxu34/s16000/Capture%20-%202024-04-03T151214.202.webp)
It is achieveable by intercepting the registration request with a proxy and modifying it to include the attacker’s script, while the vulnerable plugin stores the attacker-provided script as the user’s IP address, allowing execution whenever that user information is displayed.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipNoHP0NXhCAieXV_IsQMId6YLkj-xHRKqWS0ozScvty_yW4iNyH0WiM7wGuXKHDhygNrbDeUJQQu6MvOvyErjHiOHdO3apfTe08gVYa6KgsDptV_FJYpFtnCvY4fT6tOiEhixB7RlMay6XxvxxTZP80kA0XmUaxwbZInEicjbymRYZQKWE_ATTGK2K8eu/s16000/Capture%20-%202024-04-03T151359.837.webp)
The `rktgk_get_user_ip` function in a vulnerable plugin relies on unsanitized HTTP headers (`HTTP_CLIENT_IP` or `HTTP_X_FORWARDED_FOR`) to determine a user’s IP address.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjjGPB_64ljxR7ehOsLc48FJvhH3IIr7NaATefzptrELe0fda37pXbJKPCVI_FMDaHumoVMpROqvn39wIoKkwdHw2UffPtGmY9HxsUNkKbisPv8lTO0kzoNRMXzP8vyRdSKo5kjqyZ6hmPZ2TSlufQTp4NWRwoJzT1OB1hg8cEZNFtT_jwi4K13UxOmZXV/s16000/Capture%20-%202024-04-03T151516.576.webp)
It allows attackers to inject malicious scripts into these headers, which are then stored as the user’s IP and when an administrator views or edits such a user account, the injected script executes within the administrator’s browser session due to the reflected XSS vulnerability.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinqRFoTbEqKjKLL8bY2edlsFvndjfmHI7u60DOmF0UuFTbCNFBdEho_n3HoerGH-Yg8s17nGCDiygBMdlErEQ5dQ_TRd0aeETGQazqK6NpF-wP8ZeMYM09vLSAxY5poaixuDpE_X2xSK8M5gvihI2PpGlPaGwt5qiQa9YjLJLjE9VcWIuL6VVLUHVsugcy/s16000/Capture%20-%202024-04-03T151631.855.webp)
The administrator account may be compromised, malicious users may be created, or users may be redirected to websites that are harmful.
Wordfence contacted the vendor and coordinated a patch; while version 3.4.9.2 addressed part of the issue, existing payloads could still be triggered.Â
Version 3.4.9.3 fully patched the vulnerability; updating the plugin and advising users to share this information with others who use the plugin is recommended.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide