CVE-2024-5031: 
WordPress vulnerability analysis and mitigation

The Memberpress plugin for WordPress contains a Blind Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 1.11.29. The vulnerability was discovered and disclosed on May 21, 2024, affecting the 'mepr-user-file' shortcode functionality (Wordfence Advisory).

The vulnerability is tracked as CVE-2024-5031 and has received a CVSS v3.1 base score of 8.5 (High) from Wordfence and 6.4 (Medium) from NIST. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, indicating network accessibility, low attack complexity, and requiring low privileges. The vulnerability type is classified as CWE-918 (Server-Side Request Forgery) (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to make web requests to arbitrary locations originating from the web application. This capability can be leveraged to query and modify information from internal services, potentially exposing sensitive internal resources to unauthorized access (NVD).

The vulnerability has been patched in version 1.11.30 of the Memberpress plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (Memberpress Changelog).