A Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress Simple Membership Plugin. This vulnerability could allow an attacker to inject malicious scripts into the affected website, potentially compromising the security of the website and its visitors.

This vulnerability was discovered and responsibly reported by FearZzZz.

The vulnerability is an XSS vulnerability that occurs in the simple-membership.php file. The vulnerability allows an attacker to inject malicious scripts into the affected website by specifying a specially crafted URL.

Severity:

The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high.

Affected Versions:

The vulnerability affects all versions of the Simple Membership Plugin prior to 4.3.6.

Impact:

An attacker who successfully exploits this vulnerability could inject malicious scripts into the affected website, such as:

  • Redirects
  • Advertisements
  • Other HTML payloads

These malicious scripts could then be executed by visitors to the website, potentially leading to a variety of security risks, such as:

  • Phishing attacks
  • Malware infections
  • Identity theft

Recommendation:

Users can take the following actions:

  • Immediate Update: Without delay, Users of the Simple Membership Plugin are strongly advised to update to the latest available version (at least 4.3.6). This vulnerability has been fixed in version 4.3.6.
  • Regular Security Audits: Implement routine and comprehensive security audits of the WordPress website.