CVE-2024-1409 identifies a stored cross-site scripting vulnerability in the ProfilePress WordPress plugin, which provides paid membership, ecommerce, user registration, login, user profile, and content restriction functionalities. The vulnerability specifically exists in the [reg-select-role] shortcode, which fails to properly sanitize and escape user-supplied attributes before rendering them on web pages. This flaw allows authenticated users with contributor-level or higher permissions to inject arbitrary JavaScript code that is stored persistently and executed in the browsers of any users who visit the affected pages. The vulnerability impacts all versions up to and including 4.15.0 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. The impact includes partial confidentiality and integrity loss but no availability impact. Exploitation could lead to session hijacking, unauthorized actions on behalf of users, or defacement of site content. No public exploits have been reported yet. The vulnerability was published on March 13, 2024, and is assigned by Wordfence. The root cause is improper neutralization of input during web page generation, classified under CWE-79. Since the vulnerability requires authenticated access, attackers must have at least contributor permissions, which limits exposure but still poses a significant risk in multi-user WordPress environments.

The vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the context of any user visiting those pages. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed with victim user privileges, and potential site defacement. For organizations, this can result in compromised user accounts, loss of customer trust, reputational damage, and potential regulatory consequences if user data is exposed. Since the plugin is used for membership and ecommerce functionalities, exploitation could also disrupt business operations and lead to financial losses. The requirement for authenticated access reduces the risk from external anonymous attackers but does not eliminate the threat, especially in environments with multiple contributors or where contributor accounts may be compromised. The scope of affected systems is broad given the popularity of WordPress and the plugin’s multiple functionalities. The medium CVSS score reflects a moderate but actionable risk.

1. Immediately monitor and restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious insiders or compromised accounts exploiting this vulnerability. 2. Apply the official patch or update the ProfilePress plugin to a version that addresses CVE-2024-1409 as soon as it becomes available. 3. In the interim, disable or remove the [reg-select-role] shortcode usage in site content to prevent exploitation. 4. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads, especially those targeting the affected shortcode parameters. 5. Conduct regular security audits of user-generated content and plugin configurations to detect suspicious scripts or unauthorized changes. 6. Educate site administrators and contributors about the risks of XSS and the importance of secure coding and input validation. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 8. Monitor logs for unusual activity from contributor accounts and investigate any anomalies promptly. These steps go beyond generic advice by focusing on permission management, shortcode usage control, and layered defenses.