WordPress Plugin Vulnerabilities

Author Avatars List/Block < 2.1.19 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
author-avatars
Fixed in 2.1.19

References

CVE
CVE-2023-49846
URL
https://patchstack.com/database/vulnerability/author-avatars/wordpress-author-avatars-list-block-plugin-2-1-16-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_)
Verified
No
WPVDB ID
039b05c7-4715-4e30-b221-9fb1b0ca01f5

Timeline

Publicly Published
2023-12-06 (about 2 years ago)
Added
2023-12-10 (about 2 years ago)
Last Updated
2023-12-18 (about 2 years ago)

Other

Published
Title
Published
2024-08-28
Title
Beaver Builder (Lite Version) < 2.8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter
Published
2025-08-04
Title
WP Easy Contact < 4.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter
Published
2024-10-25
Title
Kata Plus < 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-27
Title
Contest Gallery < 21.1.2.1 - Reflected XSS
Published
2024-03-11
Title
Elementor Header & Footer Builder < 1.6.25 - Contributor+ Stored Cross-Site Scripting