Major Security Flaw Discovered in Popular WordPress WP-Members Membership Plugin

Estimated read time 2 min read

A serious security vulnerability was recently found in WP-Members Membership, a widely-used WordPress plugin for creating membership sites. An unauthenticated stored cross-site scripting (XSS) vulnerability, could allow hackers to inject malicious code into sites using the plugin.

The vulnerability, assigned CVE-2024-1852, stems from improper sanitization of the X-Forwarded-For header used by the plugin for logging purposes. Because of this, an unauthenticated attacker could inject malicious JavaScript that would then get executed whenever an admin viewed the users management area.

Burp Request with malicious payload.

This could enable the hacker to create new admin users, modify site settings, redirect visitors to malicious sites, and carry out other nefarious actions – essentially taking full control of the compromised WordPress site.

Over 60,000 Sites Potentially Impacted With WP-Members Membership active on over 60,000 websites, the extent of this vulnerability is quite severe. Any site running version or earlier of the plugin is vulnerable to attack.

The vulnerability was responsibly disclosed to the developers by security researcher Webbernaut through Wordfence‘s Bug Bounty program. Webbernaut received a $500 bounty for finding and reporting the issue.

Patches Released to Fix the Flaw The WP-Members Membership team released version on March 7th, 2024 as an initial patched version, though it did not fully resolve the vulnerability. A few hours later, version was pushed out with complete fixes.

All WP-Members Membership users are strongly urged to update to version immediately to prevent any further risk of exploitation.

Sying Tien

IT professional, Social media scholar and a Crypto expert. If you have any comments, suggestions or questions feel free to contact me at and i will get back to you shortly.

You May Also Like

More From Author