ProfilePress Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode – CVE-2024-1409 | WordPress Plugin Vulnerability Report

By Your WP Guy | February 22, 2024

Plugin Name: ProfilePress

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-user-avatar
  • Software Status: Active
  • Software Author: collizo4sky
  • Software Downloads: 12,483,598
  • Active Installs: 200,000
  • Last Updated: February 22, 2024
  • Patched Versions: 4.15.1
  • Affected Versions: <= 4.15.0

Vulnerability Details:

  • Name: ProfilePress <= 4.15.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-1409
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: February 22, 2024
  • Researcher: Ngô Thiên An
  • Description: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all versions up to, and including, 4.15.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The ProfilePress for WordPress has a vulnerability in versions up to and including 4.15.0 that allows authenticated users with contributor-level permissions or higher to inject arbitrary web scripts via the [reg-select-role] shortcode. This cross-site scripting vulnerability has been patched in version 4.15.1.

Detailed Overview:

Ngô Thiên An publicly disclosed an improper input sanitization vulnerability in the ProfilePress plugin version 4.15.0 and earlier on February 22, 2024. This vulnerability, tracked as CVE-2024-1409, leverages insufficient sanitization of attributes in the [reg-select-role] shortcode which allows authenticated users with contributor permissions or higher to inject arbitrary JavaScript that is stored and executed whenever a user views a vulnerable page. Attackers could potentially exploit this to hijack user sessions, redirect users to malicious sites, or insert malicious code into vulnerable pages. Users are advised to update immediately to version 4.15.1 which contains protections against this vulnerability. There have been 24 previous vulnerabilities in ProfilePress since June 2021, which highlights the importance of timely updates.

Advice for Users:

  1. Immediate Action: Update to ProfilePress version 4.15.1 as soon as possible.
  2. Check for Signs of Vulnerability: Review pages and posts on your site for unauthorized code injected via the vulnerable shortcode.
  3. Alternate Plugins: Consider alternate user registration, membership and profile plugins as a precaution, such as Ultimate Member or Paid Memberships Pro.
  4. Stay Updated: Enable automatic updates for plugins and regularly check the ProfilePress changelog for security fixes.

Conclusion:

ProfilePress responded quickly with a patched version to address this vulnerability. Users should ensure they are running version 4.15.1 or later to safeguard their WordPress sites. The number of historical vulnerabilities is a reminder for users to keep software updated to the latest secure versions.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-avatar

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-avatar/paid-membership-plugin-ecommerce-user-registration-form-login-form-user-profile-restrict-content-profilepress-4150-authenticated-contributor-stored-cross-site-scripting-via-reg-select-role-shortcode

Detailed Report:

Keeping your WordPress website secure should be a top priority – unfortunately, vulnerabilities in plugins can put that security at risk if you don't stay vigilant. Just last week, a vulnerability was disclosed in the popular ProfilePress plugin that could allow hackers to take over user accounts, deface sites, and even install malware.

ProfilePress is installed on over 200,000 WordPress sites and powers user registration, membership, profiles and more. Versions up to and including 4.15.0 contain a vulnerability (tracked as CVE-2024-1409) stemming from insufficient input sanitization on a registration form shortcode.

This vulnerability is serious because an attacker could leverage it to inject malicious JavaScript code into pages and posts on vulnerable sites. When other users view these pages, the malicious code would execute – allowing the hacker to potentially hijack user sessions, redirect to malicious sites, or deface the vulnerable site.

If you use ProfilePress, you should update to version 4.15.1 immediately to patch this vulnerability. And even if you don’t use this specific plugin, this is an important reminder of the importance of timely plugin updates. Outdated plugins are involved in over half of WordPress infections – which can lead to defaced sites, stolen customer data, and even blacklisting by Google.

In addition to updating ProfilePress, small business owners should:

  • Enable automatic background updates for plugins whenever possible, to ensure vulnerabilities get patched rapidly
  • Regularly check plugin changelogs for security fixes, and schedule updates if automatic updates are not enabled
  • Consider limiting user roles like Contributors, who may not need shortcode access, to reduce attack surface
  • Learn some basic signs of compromise like unauthorized code or files appearing on your site
  • Leverage a site monitoring tool to detect and block attacks targeting vulnerabilities

This vulnerability is just the latest in a long line for ProfilePress. There have been 24 security issues reported in the plugin since June 2021 – over one per month. While the developers responded quickly here with a patched version, the sheer volume of problems highlights the overall risk of relying on outdated plugin code.

Keeping your plugins updated is truly a security best practice. As a small business owner without a large IT team, it can seem endless and overwhelming – but with some preventative care you can stay on top of it. Enabling automatic background updates, proactively scheduling monthly plugin scans, and using security tools tailored for WordPress can help harden your site from threats related to vulnerabilities like this.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

ProfilePress Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode – CVE-2024-1409 | WordPress Plugin Vulnerability Report FAQs

Share this post:

Share on Pinterest Share on LinkedIn Share on Reddit Share on WhatsApp Share on Pocket Share on SMS
Posted in Security, Vulnerabilities and tagged , , , , , , , , , , ,

Leave a Comment