ProfilePress < 3.1.11 – Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget | CVE 2021-24522 | Plugin Vulnerabilities

Description

The plugin's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values.

Proof of Concept

1. Add the registration shortcode to a page.
2. Add the tabbed login/register widget on the same page.
3. Visit the page logged out and add this to the end of the URL /?tabbed-login-name="><script>alert(1)</script>

This could also be replicated by posting to any page with the widget present, which would not need the registration shortcode to be present on the page.

Affects Plugins

Fixed in 3.1.11

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2561271/wp-user-avatar

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Stiofan

Submitter

Stiofan

Submitter website

https://ayecode.io/

Submitter twitter

Verified

No

WPVDB ID

25b51add-197c-4aff-b1a8-b92fb11d8697

Timeline

Publicly Published

2021-08-09 (about 4 years ago)

Added

2021-07-12 (about 4 years ago)

Last Updated

2022-02-06 (about 3 years ago)

Other

Published

Title

Published

2024-12-30

Title

GeoDirectory < 2.3.85 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-09-10

Title

Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS

Published

2025-01-03

Title

SimpleCharm < 1.4.4 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

HMS Testimonials 2.0.10 - XSS

Published

2025-12-05

Title

Rich Shortcodes for Google Reviews < 6.8.1 - Unauthenticated Stored XSS via Google Review