The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2024-1408. This vulnerability arises from improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the 'type' attribute in the edit-profile-text-box shortcode. Authenticated attackers with contributor-level or higher privileges can inject arbitrary JavaScript code that executes in the context of other users viewing the injected pages. The vulnerability affects all versions up to and including 4.14.4. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. There is no vendor advisory or patch information available at this time, and no known exploits have been reported.

Successful exploitation allows authenticated users with contributor-level or higher permissions to inject persistent malicious scripts into pages rendered by the plugin. These scripts execute in the browsers of users who access the affected pages, potentially leading to unauthorized actions or data disclosure within the context of the affected site. The impact includes limited confidentiality and integrity compromise but no availability impact. The vulnerability requires authentication and privileges, limiting the attack surface to authorized users.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level and higher permissions to trusted users only. Monitor for updates from the plugin vendor and apply patches promptly once released. Avoid using the vulnerable shortcode with untrusted input. No official fix or temporary workaround is currently documented.