The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) via the 'name' parameter. This occurs because the plugin fails to properly sanitize and escape user input before rendering it on member listing pages when using the Gerbera theme. This flaw allows unauthenticated attackers to inject malicious scripts that execute in the context of users visiting the injected pages. The vulnerability affects all versions up to and including 4.14.4. The CVSS 3.1 base score is 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality and integrity. There is no vendor advisory or patch currently referenced, and no known exploits in the wild have been reported.

Successful exploitation allows unauthenticated attackers to inject and execute arbitrary JavaScript in the browsers of users who visit the affected member listing pages using the Gerbera theme. This can lead to information disclosure and integrity issues such as session hijacking or unauthorized actions performed on behalf of the user. Availability is not impacted. The vulnerability is limited to environments where the member listing page is active and the Gerbera theme is used.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling the member listing page or avoid using the Gerbera theme to reduce exposure. Monitoring for updates from the plugin vendor or WordPress security channels is recommended.