ProfilePress Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ProfilePress User Panel Widget – CVE-2024-2861 | WordPress Plugin Vulnerability Report

Plugin Name: ProfilePress

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-user-avatar
  • Software Status: Active
  • Software Author: collizo4sky
  • Software Downloads: 13,011,623
  • Active Installs: 200,000
  • Last Updated: May 22, 2024
  • Patched Versions: 4.15.9
  • Affected Versions: <= 4.15.8

Vulnerability Details:

  • Name: ProfilePress <= 4.15.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via ProfilePress User Panel Widget
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-2861
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 22, 2024
  • Researcher: wesley (wcraft)
  • Description: The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ProfilePress User Panel widget in all versions up to, and including, 4.15.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The ProfilePress plugin for WordPress has a vulnerability in versions up to and including 4.15.8 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the ProfilePress User Panel widget due to insufficient input sanitization and output escaping on user supplied attributes. This vulnerability has been patched in version 4.15.9.

Detailed Overview:

Security researcher wesley (wcraft) discovered a stored cross-site scripting (XSS) vulnerability in the ProfilePress plugin for WordPress. The vulnerability is present in the ProfilePress User Panel widget and affects all versions of the plugin up to and including 4.15.8. Due to insufficient input sanitization and output escaping on user supplied attributes, authenticated attackers with contributor-level access and above can inject arbitrary web scripts that will execute whenever a user accesses an injected page. This vulnerability poses a significant risk as it can be exploited to steal sensitive user information, perform unauthorized actions, or deface the website. The vulnerability has been assigned the CVE identifier CVE-2024-2861 and has a CVSS score of 6.4, indicating a medium severity.

Advice for Users:

  1. Immediate Action: Users are strongly advised to update their ProfilePress plugin to version 4.15.9 or later, which includes a patch for this vulnerability.
  2. Check for Signs of Vulnerability: Users should review their website for any suspicious or unexpected content, particularly in pages containing the ProfilePress User Panel widget.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the ProfilePress developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 4.15.9 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-avatar

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-avatar/profilepress-4158-authenticated-contributor-stored-cross-site-scripting-via-profilepress-user-panel-widget

Detailed Report:

As a website owner, the security of your site and the protection of your users' data should always be a top priority. Keeping your WordPress plugins up to date is a critical aspect of maintaining a secure website. Today, we bring to your attention a recently discovered vulnerability in the popular ProfilePress plugin that could put your site at risk.

About the ProfilePress Plugin

ProfilePress is a popular WordPress plugin that allows users to create custom user registration, login, and profile forms. It is used by over 200,000 active installations and has been downloaded more than 13 million times. The plugin was last updated on May 22, 2024, and is actively maintained by its author, collizo4sky.

The ProfilePress Vulnerability (CVE-2024-2861)

Security researcher wesley (wcraft) discovered a stored cross-site scripting (XSS) vulnerability in the ProfilePress plugin for WordPress. The vulnerability, identified as CVE-2024-2861, is present in the ProfilePress User Panel widget and affects all versions of the plugin up to and including 4.15.8. Due to insufficient input sanitization and output escaping on user-supplied attributes, authenticated attackers with contributor-level access and above can inject arbitrary web scripts that will execute whenever a user accesses an injected page.

Risks and Potential Impacts

This vulnerability poses a significant risk as it can be exploited to steal sensitive user information, perform unauthorized actions, or deface the website. An attacker could use this vulnerability to inject malicious scripts that could potentially compromise your site's security and your users' sensitive information.

How to Remediate the Vulnerability

To protect your website from this vulnerability, it is crucial to update your ProfilePress plugin to version 4.15.9 or later, which includes a patch for this issue. If you are unsure about updating the plugin yourself, consider seeking assistance from a professional or your website administrator.

In addition to updating the plugin, it is also recommended to review your website for any suspicious or unexpected content, particularly in pages containing the ProfilePress User Panel widget.

Previous Vulnerabilities

It is worth noting that the ProfilePress plugin has had a history of vulnerabilities. Since June 2021, there have been 29 previously reported vulnerabilities in the plugin. This underscores the importance of keeping your plugins up to date and regularly monitoring for any security issues.

The Importance of Staying Vigilant

As a small business owner, it is understandable that you may not have the time or resources to constantly monitor for security vulnerabilities in your WordPress plugins. However, the consequences of a security breach can be devastating for your business, both financially and in terms of reputation.

By staying proactive and ensuring that your WordPress plugins are always up to date, you can significantly reduce the risk of falling victim to a security vulnerability. If you find it challenging to keep track of updates yourself, consider enlisting the help of a professional website maintenance service or a trusted web developer who can handle these updates for you.

Remember, the security of your website and the protection of your users' data should always be a top priority. Don't let a vulnerability like the one found in ProfilePress put your business at risk.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

ProfilePress Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ProfilePress User Panel Widget – CVE-2024-2861 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment