More than 60,000 WordPress sites with the WP-Members Membership Plugin could be compromised with arbitrary script injections due to a high-severity cross-site scripting vulnerability, tracked as CVE-2024-1852, reports SecurityWeek. Threat actors could exploit the WordPress plugin’s user registration feature to facilitate the creation and interception of a registration form, which would be later modified to include an X-Forwarded-For header containing a malicious payload, according to a Wordfence alert.
Source: SC Magazine