Plugin Name: Simple Membership
- Software Type: Plugin
- Software Slug: simple-membership
- Software Status: Active
- Software Author: mra13
- Software Downloads: 2,388,048
- Active Installs: 50,000
- Last Updated: January 19, 2024
- Patched Versions: 4.4.2
- Affected Versions: <= 4.4.1
- Name: Simple Membership <= 4.4.1 - Open Redirect
- Title: Open Redirect
- Type: URL Redirection to Untrusted Site ('Open Redirect')
- CVE: CVE-2024-22308
- CVSS Score: 6.1 (Medium)
- Publicly Published: January 19, 2024
- Researcher: Joshua Chan
- Description: The Simple Membership plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.4.1. This is due to insufficient validation on the redirect url supplied via the swpm_page_url parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
The Simple Membership plugin for WordPress has a vulnerability in versions up to and including 4.4.1 that allows unauthenticated attackers to redirect users to potentially malicious sites. This vulnerability has been patched in version 4.4.2.
The Simple Membership plugin has an open redirect vulnerability due to insufficient validation of the swpm_page_url parameter. Attackers can supply a malicious redirect URL that will redirect users from the WordPress site to external malicious sites. This could be used for phishing attacks or other malicious purposes.
This vulnerability was publicly disclosed on January 19, 2024 by researcher Joshua Chan. It affects all plugin versions up to and including 4.4.1. Users are advised to update to version 4.4.2 which contains a fix for this vulnerability by properly sanitizing and validating the swpm_page_url parameter.
Advice for Users:
- Immediate Action: Update to version 4.4.2 or higher as soon as possible.
- Check for Signs of Vulnerability: Review web server access logs for any suspicious redirects.
- Alternate Plugins: Consider alternative membership plugins like MemberPress or Paid Memberships Pro as a precaution.
- Stay Updated: Enable automatic updates in WordPress to receive timely security fixes.
This open redirect vulnerability has been addressed promptly by the plugin developers with a patched release. Users should ensure they are running version 4.4.2 or higher to mitigate risks. Proper validation of all redirect URLs is crucial for security.
Keeping your WordPress website secure should be a top priority – after all, you don’t want your hard work to be compromised. Unfortunately vulnerabilities in plugins and themes are frequently discovered, putting many WordPress sites at risk if left unpatched. One such recently disclosed vulnerability is in the popular Simple Membership plugin, used on over 50,000 sites.
In versions up to and including 4.4.1, Simple Membership contains an open redirect vulnerability that could allow attackers to trick your site visitors into visiting malicious third-party websites. Left unaddressed, this vulnerability allows for phishing and other cyber threats that could seriously undermine user trust and expose sensitive information.
About the Simple Membership Plugin
The Simple Membership plugin is an actively maintained WordPress membership plugin with over 2 million downloads. It offers subscription packages, content restriction, and drip content functionality for membership sites.
Details of the Vulnerability
Researcher Joshua Chan publicly disclosed an open redirect vulnerability in Simple Membership on January 19th, 2024. This affects all versions up to and including 4.4.1. The vulnerability allows unauthenticated remote attackers to redirect WordPress users to arbitrary websites by supplying a malicious URL. Attackers could leverage this to conduct phishing campaigns, compromise login credentials, or spread malware.
Risks and Potential Impacts
This open redirect vulnerability poses serious risks if left unpatched:
- Phishing attacks to steal user credentials and sensitive data
- Malware infections from compromised sites
- Reputation damage if your site spreads malware or launches attacks
How to Update and Remediate
- If you use Simple Membership, update to version 4.4.2 immediately. This patches the vulnerability.
- Review recent access logs for suspicious activity.
- Consider requiring users to reset passwords out of caution.
You should also enable automatic background updates in WordPress which would have automatically updated Simple Membership as soon as the fix was published.
History of Vulnerabilities
This is the 17th publicly disclosed vulnerability in Simple Membership since July 2016, highlighting the importance of prompt security updates.
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.