ProfilePress Vulnerability- Authenticated Stored Cross-Site Scripting via Shortcode – CVE-2024-1535 | WordPress Plugin Vulnerability Report

Plugin Name: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-user-avatar
  • Software Status: Active
  • Software Author: collizo4sky
  • Software Downloads: 12,610,237
  • Active Installs: 200,000
  • Last Updated: March 14, 2024
  • Patched Versions: 4.15.3
  • Affected Versions: <= 4.15.2

Vulnerability Details:

  • Name: ProfilePress <= 4.15.2
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1535
  • CVSS Score: 6.4
  • Publicly Published: March 12, 2024
  • Researcher: Arkadiusz Hydzik
  • Description: ProfilePress, a versatile WordPress plugin designed for creating membership sites, user registration forms, and more, has been identified with a vulnerability in versions up to 4.15.2. This flaw, CVE-2024-1535, arises from insufficient input sanitization and output escaping within the plugin's shortcodes, allowing authenticated users with at least contributor-level permissions to perform Stored Cross-Site Scripting (XSS) attacks. These attacks can inject harmful scripts into web pages, which are executed when the pages are accessed by other users.


ProfilePress, a widely used plugin that extends WordPress functionality for membership and user profile management, has encountered a significant security issue in versions up to and including 4.15.2. This vulnerability, attributed to inadequate sanitization of user-supplied attributes within the plugin's shortcodes, permits authenticated Stored Cross-Site Scripting attacks, jeopardizing site security and user data integrity. The issue has been rectified in the subsequent version, 4.15.3, ensuring the plugin's safe usage moving forward.

Detailed Overview:

The vulnerability was brought to light by cybersecurity researcher Arkadiusz Hydzik, highlighting the critical nature of thorough input sanitization in web development, especially in plugins that process user-generated content. The ability of contributors or higher-level users to exploit this vulnerability underscores the necessity of robust security protocols in plugin development and user role management within WordPress sites.

Advice for Users:

  • Immediate Action: It is crucial for users of the ProfilePress plugin to upgrade to version 4.15.3 promptly. This update addresses the XSS vulnerability, enhancing the security of WordPress sites utilizing the plugin.
  • Check for Signs of Vulnerability: Site administrators are advised to closely monitor their websites for any indications of unauthorized script injections or alterations, particularly in areas where shortcodes are utilized.
  • Alternate Plugins: While the patched version mitigates the identified risk, users may explore alternative plugins offering similar functionalities with potentially different or additional security measures.
  • Stay Updated: The significance of maintaining up-to-date installations of all WordPress components cannot be overstated. Regular updates are pivotal in protecting against known vulnerabilities and ensuring optimal website functionality and security.


The swift mitigation of CVE-2024-1535 in the ProfilePress plugin underscores the ever-present need for vigilance and proactive measures in digital security within the WordPress ecosystem. For small business owners and website administrators, particularly those with limited technical resources, the commitment to regular software updates and adherence to security best practices is paramount in safeguarding digital assets and sustaining user trust in an increasingly complex cybersecurity landscape.


In today's digital age, keeping a website secure is paramount, particularly for small business owners who may lack the time and resources to constantly monitor their online presence. The recent identification of a vulnerability in the ProfilePress plugin, an essential tool for WordPress sites used by over 200,000 users, brings to light the ongoing battle against digital threats and the critical importance of maintaining updated software.

Plugin Overview

ProfilePress is a versatile WordPress plugin designed to enhance website functionality with features like paid membership, user registration forms, login forms, user profiles, and content restriction. Developed by collizo4sky, the plugin has seen over 12 million downloads, underlining its popularity and widespread use within the WordPress community.

Vulnerability Details

The vulnerability, cataloged as CVE-2024-1535, affects all versions of ProfilePress up to 4.15.2. This flaw allows authenticated users with contributor-level permissions or higher to exploit the plugin's shortcodes for Stored Cross-Site Scripting (XSS) attacks, injecting malicious scripts that are executed when other users view the compromised pages. The critical nature of this vulnerability, with a CVSS score of 6.4, was brought to attention by cybersecurity researcher Arkadiusz Hydzik.

Risks and Impacts

This vulnerability poses significant risks to website integrity and user data privacy, enabling attackers to perform actions such as data theft, unauthorized access, and potentially even taking control of affected sites. The fact that these attacks can be perpetrated by users with relatively low-level permissions magnifies the threat, highlighting the necessity for stringent security protocols and user role management.


In response to the discovery of CVE-2024-1535, the developers of ProfilePress promptly released a patched version, 4.15.3, effectively neutralizing the threat posed by this vulnerability. Users are urged to update their installations without delay to safeguard their sites from potential exploitation.

Previous Vulnerabilities

This is not the first time ProfilePress has faced security challenges; there have been 26 previous vulnerabilities reported since June 2021. This history emphasizes the importance of continuous vigilance and regular updates in the cybersecurity landscape.


The resolution of CVE-2024-1535 within ProfilePress is a crucial reminder for all WordPress site administrators, particularly those overseeing small business websites, of the importance of staying abreast of security vulnerabilities and ensuring timely updates. In an era where digital threats are increasingly sophisticated, the security of a WordPress site is an ongoing commitment that requires diligence, awareness, and proactive measures to maintain a secure and trustworthy online presence.

Final Note

For small business owners juggling numerous responsibilities, the task of constantly monitoring for vulnerabilities may seem daunting. However, adopting a routine of regular updates and leveraging trusted security resources can significantly mitigate risks, protecting your digital assets and the trust of your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

ProfilePress Vulnerability- Authenticated Stored Cross-Site Scripting via Shortcode – CVE-2024-1535 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment