CVE-2024-1985: 
WordPress vulnerability analysis and mitigation

The Simple Membership plugin for WordPress (CVE-2024-1985) contains a Stored Cross-Site Scripting vulnerability in the 'Display Name' parameter affecting all versions up to and including 4.4.2. The vulnerability was discovered and reported by Wordfence, with public disclosure on March 13, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's handling of the 'Display Name' parameter. This security flaw allows unauthenticated attackers to inject arbitrary web scripts that execute when users access the affected pages. The vulnerability has received a CVSS v3.1 base score of 6.1 (Medium) from NIST and 4.7 (Medium) from Wordfence, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The impact of this vulnerability is considered limited due to specific exploitation requirements. When successfully exploited, the vulnerability allows attackers to inject malicious scripts that execute when users access the compromised pages. However, the attack requires social engineering and the scripts only execute when a user logs in as the user with the injected payload (NVD).

Users should update their Simple Membership plugin to version 4.4.3 or later which contains the fix for this vulnerability. The patch addresses the insufficient input sanitization and output escaping issues in the affected parameter (NVD).