CVE-2024-5081 — Cross-Site Request Forgery in WP Emember

CWE-352 — Cross-Site Request Forgery CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 50.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tipsandtricks-hq WP Emember

Timeline

PublishedAug 5

Description

The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDtipsandtricks-hq/wp_emember< 10.7.0

🔴Vulnerability Details

CVEList

WP eMember <= v10.7.0 - Stored XSS via CSRF↗2024-08-05

▶

GHSA

GHSA-xr9f-3r4j-v7r6: The wp-eMember WordPress plugin before v10↗2024-08-05

▶