Vulnerability Details CVE-2024-9242
The Memberful – Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'memberful_buy_subscription_link' and 'memberful_podcasts_link' shortcodes in all versions up to, and including, 1.73.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.2%
CVSS Severity
CVSS v3 Score 6.4
References
- https://plugins.trac.wordpress.org/browser/memberful-wp/tags/1.73.7/src/shortcodes.php#L25
- https://plugins.trac.wordpress.org/browser/memberful-wp/tags/1.73.7/src/shortcodes.php#L59
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3161020%40memberful-wp&new=3161020%40memberful-wp&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e9e30377-2b5a-4b2d-9f19-bae91608fb24?source=cve
Products affected by CVE-2024-9242
-
cpe:2.3:a:memberful:memberful:-
-
cpe:2.3:a:memberful:memberful:1.0.0
-
cpe:2.3:a:memberful:memberful:1.0.1
-
cpe:2.3:a:memberful:memberful:1.0.2
-
cpe:2.3:a:memberful:memberful:1.1.0
-
cpe:2.3:a:memberful:memberful:1.1.1
-
cpe:2.3:a:memberful:memberful:1.1.3
-
cpe:2.3:a:memberful:memberful:1.10.0
-
cpe:2.3:a:memberful:memberful:1.11.0
-
cpe:2.3:a:memberful:memberful:1.11.1
-
cpe:2.3:a:memberful:memberful:1.12.0
-
cpe:2.3:a:memberful:memberful:1.12.1
-
cpe:2.3:a:memberful:memberful:1.13.0
-
cpe:2.3:a:memberful:memberful:1.14.0
-
cpe:2.3:a:memberful:memberful:1.15.0
-
cpe:2.3:a:memberful:memberful:1.16.0
-
cpe:2.3:a:memberful:memberful:1.16.1
-
cpe:2.3:a:memberful:memberful:1.16.2
-
cpe:2.3:a:memberful:memberful:1.17.0
-
cpe:2.3:a:memberful:memberful:1.17.1
-
cpe:2.3:a:memberful:memberful:1.18.0
-
cpe:2.3:a:memberful:memberful:1.18.1
-
cpe:2.3:a:memberful:memberful:1.19.0
-
cpe:2.3:a:memberful:memberful:1.2.0
-
cpe:2.3:a:memberful:memberful:1.20.0
-
cpe:2.3:a:memberful:memberful:1.21.0
-
cpe:2.3:a:memberful:memberful:1.21.1
-
cpe:2.3:a:memberful:memberful:1.22.0
-
cpe:2.3:a:memberful:memberful:1.22.1
-
cpe:2.3:a:memberful:memberful:1.22.2
-
cpe:2.3:a:memberful:memberful:1.22.3
-
cpe:2.3:a:memberful:memberful:1.22.4
-
cpe:2.3:a:memberful:memberful:1.22.5
-
cpe:2.3:a:memberful:memberful:1.23.0
-
cpe:2.3:a:memberful:memberful:1.23.1
-
cpe:2.3:a:memberful:memberful:1.24.0
-
cpe:2.3:a:memberful:memberful:1.25.0
-
cpe:2.3:a:memberful:memberful:1.26.0
-
cpe:2.3:a:memberful:memberful:1.27.0
-
cpe:2.3:a:memberful:memberful:1.28.0
-
cpe:2.3:a:memberful:memberful:1.28.1
-
cpe:2.3:a:memberful:memberful:1.29.0
-
cpe:2.3:a:memberful:memberful:1.29.1
-
cpe:2.3:a:memberful:memberful:1.29.2
-
cpe:2.3:a:memberful:memberful:1.3.0
-
cpe:2.3:a:memberful:memberful:1.3.1
-
cpe:2.3:a:memberful:memberful:1.3.2
-
cpe:2.3:a:memberful:memberful:1.30.0
-
cpe:2.3:a:memberful:memberful:1.31.0
-
cpe:2.3:a:memberful:memberful:1.32.0
-
cpe:2.3:a:memberful:memberful:1.33.0
-
cpe:2.3:a:memberful:memberful:1.33.1
-
cpe:2.3:a:memberful:memberful:1.34.0
-
cpe:2.3:a:memberful:memberful:1.35.0
-
cpe:2.3:a:memberful:memberful:1.36.0
-
cpe:2.3:a:memberful:memberful:1.37.0
-
cpe:2.3:a:memberful:memberful:1.37.1
-
cpe:2.3:a:memberful:memberful:1.38.0
-
cpe:2.3:a:memberful:memberful:1.38.1
-
cpe:2.3:a:memberful:memberful:1.39.0
-
cpe:2.3:a:memberful:memberful:1.4.0
-
cpe:2.3:a:memberful:memberful:1.4.2.0
-
cpe:2.3:a:memberful:memberful:1.40.0
-
cpe:2.3:a:memberful:memberful:1.40.1
-
cpe:2.3:a:memberful:memberful:1.41.1
-
cpe:2.3:a:memberful:memberful:1.42.1
-
cpe:2.3:a:memberful:memberful:1.43.0
-
cpe:2.3:a:memberful:memberful:1.43.1
-
cpe:2.3:a:memberful:memberful:1.44.0
-
cpe:2.3:a:memberful:memberful:1.45.0
-
cpe:2.3:a:memberful:memberful:1.46.0
-
cpe:2.3:a:memberful:memberful:1.47.0
-
cpe:2.3:a:memberful:memberful:1.48.0
-
cpe:2.3:a:memberful:memberful:1.49.0
-
cpe:2.3:a:memberful:memberful:1.49.1
-
cpe:2.3:a:memberful:memberful:1.49.2
-
cpe:2.3:a:memberful:memberful:1.5.0
-
cpe:2.3:a:memberful:memberful:1.50.0
-
cpe:2.3:a:memberful:memberful:1.50.1
-
cpe:2.3:a:memberful:memberful:1.50.2
-
cpe:2.3:a:memberful:memberful:1.50.3
-
cpe:2.3:a:memberful:memberful:1.51.0
-
cpe:2.3:a:memberful:memberful:1.52.0
-
cpe:2.3:a:memberful:memberful:1.53.0
-
cpe:2.3:a:memberful:memberful:1.54.0
-
cpe:2.3:a:memberful:memberful:1.54.1
-
cpe:2.3:a:memberful:memberful:1.55.0
-
cpe:2.3:a:memberful:memberful:1.56.0
-
cpe:2.3:a:memberful:memberful:1.56.1
-
cpe:2.3:a:memberful:memberful:1.56.2
-
cpe:2.3:a:memberful:memberful:1.56.3
-
cpe:2.3:a:memberful:memberful:1.57.0
-
cpe:2.3:a:memberful:memberful:1.58.0
-
cpe:2.3:a:memberful:memberful:1.59.0
-
cpe:2.3:a:memberful:memberful:1.6.0
-
cpe:2.3:a:memberful:memberful:1.6.1
-
cpe:2.3:a:memberful:memberful:1.6.2
-
cpe:2.3:a:memberful:memberful:1.60.0
-
cpe:2.3:a:memberful:memberful:1.61.0
-
cpe:2.3:a:memberful:memberful:1.62.0
-
cpe:2.3:a:memberful:memberful:1.62.1
-
cpe:2.3:a:memberful:memberful:1.62.10
-
cpe:2.3:a:memberful:memberful:1.62.11
-
cpe:2.3:a:memberful:memberful:1.62.12
-
cpe:2.3:a:memberful:memberful:1.62.2
-
cpe:2.3:a:memberful:memberful:1.62.3
-
cpe:2.3:a:memberful:memberful:1.62.4
-
cpe:2.3:a:memberful:memberful:1.62.5
-
cpe:2.3:a:memberful:memberful:1.62.6
-
cpe:2.3:a:memberful:memberful:1.62.7
-
cpe:2.3:a:memberful:memberful:1.62.8
-
cpe:2.3:a:memberful:memberful:1.62.9
-
cpe:2.3:a:memberful:memberful:1.63.0
-
cpe:2.3:a:memberful:memberful:1.64.0
-
cpe:2.3:a:memberful:memberful:1.65.0
-
cpe:2.3:a:memberful:memberful:1.65.1
-
cpe:2.3:a:memberful:memberful:1.66.0
-
cpe:2.3:a:memberful:memberful:1.66.1
-
cpe:2.3:a:memberful:memberful:1.67.0
-
cpe:2.3:a:memberful:memberful:1.67.1
-
cpe:2.3:a:memberful:memberful:1.67.2
-
cpe:2.3:a:memberful:memberful:1.68.1
-
cpe:2.3:a:memberful:memberful:1.68.2
-
cpe:2.3:a:memberful:memberful:1.68.3
-
cpe:2.3:a:memberful:memberful:1.68.4
-
cpe:2.3:a:memberful:memberful:1.68.5
-
cpe:2.3:a:memberful:memberful:1.69.0
-
cpe:2.3:a:memberful:memberful:1.69.1
-
cpe:2.3:a:memberful:memberful:1.7.0
-
cpe:2.3:a:memberful:memberful:1.7.1
-
cpe:2.3:a:memberful:memberful:1.70.0
-
cpe:2.3:a:memberful:memberful:1.70.1
-
cpe:2.3:a:memberful:memberful:1.70.2
-
cpe:2.3:a:memberful:memberful:1.71.0
-
cpe:2.3:a:memberful:memberful:1.71.1
-
cpe:2.3:a:memberful:memberful:1.71.2
-
cpe:2.3:a:memberful:memberful:1.71.3
-
cpe:2.3:a:memberful:memberful:1.71.4
-
cpe:2.3:a:memberful:memberful:1.71.5
-
cpe:2.3:a:memberful:memberful:1.71.6
-
cpe:2.3:a:memberful:memberful:1.72.0
-
cpe:2.3:a:memberful:memberful:1.73.0
-
cpe:2.3:a:memberful:memberful:1.73.1
-
cpe:2.3:a:memberful:memberful:1.73.2
-
cpe:2.3:a:memberful:memberful:1.73.3
-
cpe:2.3:a:memberful:memberful:1.73.4
-
cpe:2.3:a:memberful:memberful:1.73.5
-
cpe:2.3:a:memberful:memberful:1.73.6
-
cpe:2.3:a:memberful:memberful:1.73.7
-
cpe:2.3:a:memberful:memberful:1.8.0
-
cpe:2.3:a:memberful:memberful:1.8.1
-
cpe:2.3:a:memberful:memberful:1.9.0