User Avatar – Reloaded < 1.2.2 – Contributor+ Stored XSS | CVE 2023-4798 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.

Proof of Concept

As a Contributor+ create a new post and add one of the following shortcode.

[avatar user="admin" size="96" align="left" link='" onmouseover="alert(/XSS/)"' /]

[avatar user="admin" size="96" align="left" link="/" target='" onmouseover="alert(/XSS/)"' /]

Save it to be reviewed.
When an admin reviews the post and moves the mouse over the added code, the payload will be delivered.

Affects Plugins

user-avatar-reloaded

Fixed in 1.2.2

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4798-user-avatar-reloaded-1-2-2-contributor-stored-xss

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

273a95bf-39fe-4ba7-bc14-9527acfd9f42

Timeline

Publicly Published

2023-09-25 (about 2 years ago)

Added

2023-09-25 (about 2 years ago)

Last Updated

2023-09-26 (about 2 years ago)

Other

Published

Title

Published

2025-03-11

Title

WP Last Modified <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-01-12

Title

Schema & Structured Data for WP & AMP < 1.26 - Contributor+ Stored Cross-Site Scripting

Published

2021-10-18

Title

Content Staging <= 2.0.1 - Admin+ Stored Cross-Site Scripting

Published

2025-04-04

Title

FunnelCockpit < 1.4.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-07-27

Title

Bit Assist < 1.1.9 - Admin+ Stored Cross-Site Scripting