CVE-2015-5532

moderate-risk
Published 2017-10-23

Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php.

Do I need to act?

~
1.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Strangerstudios

References (14)

Exploit http://packetstormsecurity.com/files/132812/WordPress-Paid-Memberships-Pro-1.8.4...
Release Notes http://www.paidmembershipspro.com/2015/07/pmpro-updates-1-8-4-3-and-1-8-4-4/
Exploit http://www.securityfocus.com/archive/1/536057/100/0/threaded
Patch https://github.com/strangerstudios/paid-memberships-pro/commit/add03e3ed90e9163e...
Release Notes https://wordpress.org/plugins/paid-memberships-pro/#developers
Third Party Advisory https://wpvulndb.com/vulnerabilities/8109
Broken Link https://www.htbridge.com/advisory/HTB23264
Exploit http://packetstormsecurity.com/files/132812/WordPress-Paid-Memberships-Pro-1.8.4...
Release Notes http://www.paidmembershipspro.com/2015/07/pmpro-updates-1-8-4-3-and-1-8-4-4/
Exploit http://www.securityfocus.com/archive/1/536057/100/0/threaded
Patch https://github.com/strangerstudios/paid-memberships-pro/commit/add03e3ed90e9163e...
Release Notes https://wordpress.org/plugins/paid-memberships-pro/#developers
Third Party Advisory https://wpvulndb.com/vulnerabilities/8109
Broken Link https://www.htbridge.com/advisory/HTB23264
32
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 4/34 · Minimal
Exposure 5/34 · Minimal