The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2024-1806. This vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in plugin shortcodes. Authenticated attackers with contributor-level or higher permissions can exploit this to inject malicious scripts that execute in the context of other users visiting the injected pages. The vulnerability affects all versions up to 4.15.1. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction needed, scope change, and low confidentiality and integrity impact without availability impact. No patch or official fix details are currently available.

Successful exploitation allows authenticated contributors or higher to inject persistent malicious scripts into pages via shortcode attributes. These scripts execute in the browsers of users who access the compromised pages, potentially leading to unauthorized actions or data exposure limited to the confidentiality and integrity impact described by the CVSS score. There is no indication of availability impact or known active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level permissions carefully and consider limiting shortcode usage or input where possible. Monitor official vendor channels for updates or patches addressing this vulnerability.