WWordPress Vulnerability Database

Community Alert Cross Site Scripting in ProfilePress(CVE202413121)

Cross Site Scripting (XSS) in WordPress ProfilePress Plugin
0
Shares
0
0
0
0
Plugin Name ProfilePress
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2024-13121
Urgency Low
CVE Publish Date 2026-01-30
Source URL CVE-2024-13121

Urgent: Admin Stored XSS in ProfilePress (< 4.15.20) — What WordPress Site Owners Must Do Now

Date: 2026-01-30   |   Author: Hong Kong Security Expert

Summary: A stored Cross-Site Scripting (XSS) vulnerability affecting ProfilePress (fixed in 4.15.20, tracked as CVE-2024-13121) can be abused by an actor with Administrator privileges to inject persistent JavaScript into the WordPress admin environment. This advisory explains the technical risk, likely abuse scenarios, detection indicators, and practical hardening and mitigation steps.

Why this matters

Stored XSS in admin-facing plugin settings is qualitatively different from reflected/public XSS. Key points:

  • The payload is persistent (stored in database or settings) and runs whenever an admin views the affected admin page.
  • This vulnerability requires Administrator privileges to inject content, so initial access is limited; however, the post-injection impact is significant:
    • An attacker with admin privileges can implant persistent backdoors, create new admin users, or exfiltrate credentials and session data.
    • If injected script runs in an admin’s browser it can perform authenticated actions (CSRF-style), modify site configuration, or install further malware.
  • Although exploitation requires high privilege or social engineering of an admin, stored admin XSS is high-risk for site takeover and long-term persistence.

This advisory is authored by a Hong Kong security expert — concise, practical, and prioritised for site owners, administrators, hosts, and developers.

Technical background — what is stored XSS in admin context?

Cross-Site Scripting happens when untrusted input is improperly sanitized or escaped and is returned to a user’s browser as executable script. Stored XSS means the malicious payload is saved on the server and later rendered for other users.

In an admin-stored XSS scenario:

  • The plugin fails to sanitize or escape a setting, profile field, or stored field that is editable in wp-admin.
  • An actor with required privileges inserts markup or JavaScript that is saved to the database.
  • When another privileged user views that admin interface, the script runs in the browser context of that user with their privileges.

Consequences include session hijacking, silent creation/modification of posts/options/users, installation of persistence mechanisms, and content manipulation or redirects. The vulnerability is fixed in ProfilePress 4.15.20; updating is the definitive remediation, but other mitigations can be applied if immediate updating isn’t possible.

Affected versions and CVE

  • Affected: ProfilePress < 4.15.20
  • Fixed: 4.15.20
  • CVE: CVE-2024-13121
  • Privilege required: Administrator
  • User interaction: Required (an administrator typically must submit or save settings)
  • Advisory CVSS-ish: medium-level (example reported ~5.9) — reasonable for stored admin XSS

Immediate actions you should take (first 24–48 hours)

  1. Update: Apply ProfilePress 4.15.20 or later immediately when possible. This is the cleanest fix.
  2. If you cannot update right now:
    • Reduce administrator activity: ask admins to avoid wp-admin logins or changes until mitigations are applied.
    • Enforce extra admin access controls: restrict admin logins by IP, require MFA, or use VPN access.
    • Deploy targeted web request filtering (WAF/virtual patching) that blocks suspicious payloads to the plugin’s admin endpoints.
  3. Rotate credentials and keys: Force password changes for all admin accounts and rotate API keys/tokens.
  4. Scan for compromise: Search for injected scripts and other indicators in DB and files (see detection section).
  5. Audit admin users: Remove orphaned or suspicious admin accounts.
  6. Enable monitoring & logging: Ensure admin actions and changes are logged and reviewed.

How to detect whether your site was targeted or compromised

Stored XSS often leaves detectable traces in database records or plugin settings. Focus on plugin-specific tables, options, and usermeta where ProfilePress stores admin-editable content.

Search for suspicious content such as