WordPress Plugin Vulnerabilities

ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting via Form Settings

Description

The plugin does not sanitize and escape several form fields before outputting them to pages on the site, allowing authenticated (admin+) users to inject arbitrary web scripts even when unfiltered html has been disabled (such as in a multisite setup).

Affects Plugins

Plugin icon
wp-user-avatar
Fixed in 4.5.1

References

CVE
CVE-2022-4698
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-avatar/profilepress-450-authenticated-administrator-stored-cross-site-scripting-via-form-settings

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Ivan Kuzymchak
Verified
No
WPVDB ID
16d825fe-1f20-4c29-b73c-7806f81717a5

Timeline

Publicly Published
2022-12-23 (about 3 years ago)
Added
2022-12-26 (about 3 years ago)
Last Updated
2022-12-26 (about 3 years ago)

Other

Published
Title
Published
2023-12-14
Title
Featured Image from URL (FIFU) < 4.5.4 - Contributor+ Stored XSS
Published
2025-08-20
Title
Themify Icons < 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-02
Title
Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS
Published
2024-06-20
Title
Enfold < 5.6.10 - Reflected Cross-Site Scripting
Published
2024-11-08
Title
OS Our Team <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting