CVE-2024-13121: 
WordPress vulnerability analysis and mitigation

The Paid Membership Plugin (wp-user-avatar) for WordPress versions below 4.15.20 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-13121. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on January 23, 2025. This security issue affects the plugin's directory settings functionality (WPScan).

The vulnerability stems from insufficient sanitization and escaping of certain plugin settings. This security flaw could be exploited by users with high privileges, such as administrators, to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (WPScan).

When exploited, this vulnerability allows privileged users to inject malicious scripts into the plugin's settings, specifically in the Member Directory's color settings section. These scripts would then be executed when other users access the affected pages, potentially leading to unauthorized actions or data theft (WPScan).

The vulnerability has been patched in version 4.15.20 of the Paid Membership Plugin. Users are advised to update their installations to this version or later to mitigate the risk (WPScan).