cleantalk
Vulnerabilities and Security Researches

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress, CVE-2024-2861

CVE, Research URL

CVE-2024-2861

Home page URL

Security reports for Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Application

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Published on
May 23, 2024
Research Description
The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ProfilePress User Panel widget in all versions up to, and including, 4.15.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.15.9.
Status
vulnerable
Previous vulnerability researches
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress , Dec 23, 2024
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress (CVE-2025-8878) , Aug 16, 2025
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress (CVE-2024-10518) , Dec 12, 2024
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress (CVE-2023-50882) , Dec 12, 2024
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress (CVE-2021-24522) , Jun 06, 2024
New vulnerability
Ultimate Addons for Contact Form 7 (CVE-2025-14356) , Dec 22, 2025
GitHub Gist Shortcode Plugin (CVE-2025-12667) , Dec 12, 2025
Cryptocurrency Payment Gateway for WooCommerce (CVE-2025-12392) , Dec 12, 2025
Wbcom Designs – Private Community for BuddyPress (CVE-2025-67582) , Dec 12, 2025
WP-Walla (CVE-2025-12589) , Dec 12, 2025