The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2024-1535. This vulnerability arises from improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied shortcode attributes. Authenticated attackers with contributor-level or higher privileges can exploit this flaw to inject arbitrary JavaScript code into pages, which executes in the context of users who view those pages. The vulnerability affects all versions up to and including 4.15.2. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and impacts on confidentiality and integrity but not availability. No patch or official fix information is currently available from the vendor or other sources.

Successful exploitation allows authenticated users with contributor-level or higher permissions to inject persistent malicious scripts into pages via shortcode attributes. These scripts execute in the browsers of users who access the infected pages, potentially leading to unauthorized actions such as session hijacking or data theft limited to the scope of the affected site. The impact affects confidentiality and integrity but does not affect availability. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, limit contributor-level access to trusted users only and consider disabling or restricting use of the vulnerable shortcodes. Monitor official channels from the plugin vendor for updates or patches addressing this vulnerability.