logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

ProfilePress < 3.1.11 - Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget

Description

The plugin's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access.  Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values.

Proof of Concept

1. Add the registration shortcode to a page.
2. Add the tabbed login/register widget on the same page.
3. Visit the page logged out and add this to the end of the URL /?tabbed-login-name="><script>alert(1)</script>

This could also be replicated by posting to any page with the widget present, which would not need the registration shortcode to be present on the page.

Affects Plugins

wp-user-avatar

Fixed in version 3.1.11

References

CVE

CVE-2021-24522

URL

https://plugins.trac.wordpress.org/changeset/2561271/wp-user-avatar

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Stiofan

Submitter

Stiofan

Submitter website

https://ayecode.io/

Submitter twitter

_Stiofan

Verified

No

WPVDB ID

25b51add-197c-4aff-b1a8-b92fb11d8697

Timeline

Publicly Published

2021-08-09 (about 2 months ago)

Added

2021-07-12 (about 3 months ago)

Last Updated

2021-07-12 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin