CVE-2024-5077 — Cross-Site Request Forgery in WP Emember

CWE-352 — Cross-Site Request Forgery CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.8MEDIUMNVD

EPSS

0.2%

top 57.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tipsandtricks-hq WP Emember

Timeline

PublishedJul 13

Description

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:LExploitability: 2.1 | Impact: 4.7

Affected Packages1 packages

▶NVDtipsandtricks-hq/wp_emember< 10.6.6

🔴Vulnerability Details

GHSA

GHSA-w8q9-f7q2-cp4h: The wp-eMember WordPress plugin before 10↗2024-07-13

▶

CVEList

WP eMember < 10.6.6 - Stored XSS in Blacklist via CSRF↗2024-07-13

▶