CVE-2024-9231
WP-Members Membership Plugin <= 3.4.9.5 - Reflected Cross-Site ScriptingThe WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
We have discovered 9,966 live websites that are affected by CVE-2024-9231.
Affected Software
| Product |  WP-Members |
| Category | Wordpress Plugins |
| Vulnerable Domains | 9,966 live websites (49.46% of WP-Members install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 106 versions ( 92.98% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Oct 22, 2024
- Updated - Oct 22, 2024
Credits
- Dale Mavers (finder)
CWE
CVE References
CWE References
CVE-2024-9231 usage by Country
 United States | 2,348 websites |
 Japan | 2,199 websites |
 Germany | 1,064 websites |
 France | 976 websites |
 Korea, South | 349 websites |
 GB | 282 websites |
 Netherlands | 260 websites |
 Italy | 211 websites |
 Switzerland | 170 websites |
CVE-2024-9231 usage by TLD
| .com | 3,501 websites |
| .org | 1,054 websites |
| .jp | 634 websites |
| .de | 605 websites |
| .fr | 458 websites |
| .net | 408 websites |
| .co.jp | 298 websites |
| .nl | 233 websites |
| .it | 189 websites |
| .co.uk | 172 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-9231
Top websites that are affected by CVE-2024-9231. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **.********.edu | United States | **,*** | |
| ****.******.jp | United States | ***,*** | |
| *******.org | Germany | ***,*** | |
| *********.org | United States | ***,*** | |
| *******.jp | United States | ***,*** | |
| ****.**.uk | United States | ***,*** | |
| ****.org | United States | ***,*** | |
| **********.com | United States | ***,*** | |
| ***************.de | Germany | ***,*** | |
| *****.io | Germany | ***,*** |
FAQ
CVE-2024-9231 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WP-Members
A total of 9,966 websites have been identified as vulnerable to CVE-2024-9231, discovered through global website indexing conducted by WebTechSurvey.
WP-Members is susceptible to CVE-2024-9231 vulnerability.
WP-Members versions before, and including, 3.4.9.5 are vulnerable to CVE-2024-9231.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2d59e599-59da-4c03-b71f-d00a078b2442?source=cve
- https://plugins.trac.wordpress.org/browser/wp-members/tags/3.4.9.5/includes/class-wp-members.php#L1960
- https://plugins.trac.wordpress.org/browser/wp-members/tags/3.4.9.5/includes/class-wp-members-forms.php#L2198
- https://plugins.trac.wordpress.org/changeset/3172354/wp-members/trunk/includes/class-wp-members-forms.php?contextall=1