CVE-2024-7703

MEDIUM

ARMember - Membership Plugin < 4.0.37 - Authenticated Stored Cross-Site Scripting via SVG File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-7703. PoCs published by lfillaz.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2024-7703, a stored XSS vulnerability in the ARMember WordPress plugin (versions up to 4.0.37). The exploit leverages insufficient input sanitization to upload malicious SVG files, allowing arbitrary JavaScript execution when the file is viewed.

Description

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.0.37 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Exploits (1)

nomisec WORKING POC 1 stars

by lfillaz · poc

https://github.com/lfillaz/CVE-2024-7703

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2024-7703, a stored XSS vulnerability in the ARMember WordPress plugin (versions up to 4.0.37). The exploit leverages insufficient input sanitization to upload malicious SVG files, allowing arbitrary JavaScript execution when the file is viewed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: ARMember WordPress Plugin (up to 4.0.37)

Auth required

Prerequisites: WordPress account with Subscriber-level access or higher · ARMember plugin version <= 4.0.37 · Ability to upload files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_members_activity.php#L374

Product

https://plugins.trac.wordpress.org/changeset/3136475/

Product

https://wordpress.org/plugins/armember-membership/#developers

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/7bd057d5-5350-43c9-abfc-34d8f6537d2e?source=cve

Scores

CVSS v3 6.4

EPSS 0.0114

EPSS Percentile 62.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

reputeinfosystems/ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup < 4.0.37

Published Aug 17, 2024

Tracked Since Feb 18, 2026