MalCare continues to protect its customer sites from all kinds of attacks, even the ones exploiting zero-day vulnerabilities. The recent stored cross-site scripting (XSS) vulnerability found in the WP-Members Membership plugin is yet another example of the proactive protection provided by our robust Atomic Security firewall.

The WP-Members XSS vulnerability presents a very high chance of exploitation as it requires no authenticated user levels. This means hackers can exploit it quite easily, making it critical to address the vulnerability at the earliest. Whether you are a MalCare user or not, we recommend updating the WP-Members Membership plugin on your site to ensure its security.

What is the WP-Members plugin vulnerability?

Plugin information

• Vulnerable plugin version: v3.4.9.2 and earlier
• Patch release version: v3.4.9.3 and newer

WP-Members, also known as WP-Members Membership Plugin, is a plugin for membership WordPress sites that helps with content restriction, custom registration, and more. With over 60,000 active installations, it is one of the popular membership plugins in the WordPress ecosystem. It boasts a simple to use, easy to set up, yet flexible user experience with several settings geared towards easily managing memberships on your site.

About the vulnerability

The WP-Members plugin is vulnerable to stored XSS via the X-Forwarded-For header.

To exploit this vulnerability, an attacker has to intercept their registration request after filling out and submitting the registration form on a membership website. This is followed by modifying the raw request to contain an X-Forwarded-For header carrying a malicious JavaScript payload enclosed in script tags. Once this request is forwarded to the server, an unsuspicious-looking user account is created with the details provided by the attacker.

The WP-Members plugin stores the IP address of users who used its registration form, in their profile. A function called rktgk_get_user_ip() determines whether the registration request contained an HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR header. If either header is present, the function utilizes that value as the user’s IP address instead of the REMOTE_ADDR variable and then returns the provided value as the IP address. Due to the fact that HTTP headers can be manipulated, and the input was not sanitized, a user could supply any value including a malicious web script that will be stored as the user’s IP address.

If an administrator decides to edit or view this user account, a source code is generated upon page load that contains the injected JavaScript. This script can then be used to create malicious user accounts, redirect site visitors to other malicious sites and perform other malicious actions.

The vulnerability has now been fixed with the release of WP-Members Membership Plugin v3.4.9.3 on March 7, 2024.

Who discovered this vulnerability?

The WP-Members stored XSS vulnerability was discovered by independent WordPress security researcher Webbernaut, who reported it to Wordfence’s Bug Bounty Program. Consequently, Wordfence informed Chad Butler, the plugin developer, on February 23, 2024, following which a patch was released on March 7, 2024.

How is your WordPress site at risk?

Your WordPress site is at risk if it runs the WP-Members Membership Plugin v3.4.9.2 or earlier.

Hackers can exploit XSS vulnerabilities to conduct harmful activities, including:

• injecting harmful scripts to carry out phishing or clickjacking attacks, or to reroute visitors to unauthorized websites,
• using breached websites as control centers for orchestrating broader attacks, potentially resulting in these sites being blacklisted by search engines like Google,
• installing backdoors to re-compromise websites that have previously been cleared of malware,
• creating illegitimate admin accounts which allow them to take complete control over affected websites, and
• gaining access to and stealing sensitive information such as user credentials and personal details stored within databases.

Additionally, XSS vulnerabilities can damage your website’s reputation, reduce visitor trust, and cause significant SEO ranking drops if not addressed promptly.

Hence, we strongly recommend you update the WP-Members Membership plugin on your WordPress site immediately, at least to v3.4.9.3.

How to protect your site?

To effectively protect your WordPress site from potential security threats like the WP-Members XSS vulnerability, follow these proactive steps:

• Start with a MalCare scan: Install MalCare to rapidly remove any existing malware and bolster your site’s defenses with its Atomic Security feature. This initial scan ensures you’re starting from a clean slate.
• Update plugins and themes: Consistently monitor and update your plugins and themes. Outdated versions may contain security loopholes that hackers can exploit. Utilize MalCare’s dashboard feature, which notifies you of outdated components, helping you maintain updated and more secure software.
• Update WordPress salts and security keys: This crucial step forces all current sessions to end and logs out all users, significantly improving your site’s security. MalCare simplifies this process as part of its comprehensive cleanup routine.
• Check user roles and permissions: Regularly review the roles and permissions assigned to your site’s users. Quick action should be taken to modify or revoke privileges if any anomalies are detected, helping prevent unauthorized access.
• Change login details: Update your administrator password immediately and ensure that all user sessions are terminated. Prompt other users to update their passwords and advise them to choose robust, new passwords to strengthen their accounts.
• Enhance login security: Implement two-factor authentication (2FA) and set limits on login attempts. These measures add an additional layer of security, making unauthorized access more challenging.
• Keep an eye on your site with monitoring: With MalCare, continuous monitoring of your site is effortless. It keeps a vigilant watch for any suspicious activity and promptly alerts you to potential threats.

How does MalCare secure your site?

Beyond Atomic Security, MalCare secures your WordPress site through a range of essential features like:

• Quick malware detection and cleanup: MalCare performs daily scans of your site, automatically searching for and identifying malware. Should any malware be detected, its potent removal tool acts swiftly to eradicate it, safeguarding and restoring your site’s health.
• Vulnerability notifications: MalCare vigilantly monitors your plugins and themes for any potential vulnerabilities. When issues are detected, it immediately alerts you, enabling you to reinforce your site’s defenses promptly.
• Bot defense: Recognizing the disruptive impact of bots on site performance, MalCare deploys robust defenses to deter these automated threats, ensuring your site operates smoothly.
• Efficient backups: MalCare’s automatic, offsite backup system keeps you prepared for any situation. If problems arise, these backups allow for a swift and effective recovery.

MalCare envelops your WordPress site in a protective layer, combining proactive steps and sturdy defenses to secure your online presence continuously.