CVE-2024-5031: MemberPress <= 1.11.29 - Authenticated (Contributor+) Blind Server-Side Request Forgery via mepr-user-file Shortcode
First published: Wed May 22 2024(Updated: )
The Memberpress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.11.29 via the 'mepr-user-file' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MemberPress | <=1.11.29 | |
| MemberPress | <1.11.30 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/last-modified-date
- agent/severity
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- vendor/memberpress
- canonical/memberpress
- vendor/caseproof