WordPress Plugin Vulnerabilities

ProfileGrid < 4.7.5 - Subscriber+ Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the pm_user_avatar and pm_cover_image parameters found in the ~/admin/class-profile-magic-admin.php file which allows attackers with authenticated user access, such as subscribers, to inject arbitrary web scripts into their profile.

Affects Plugins

Plugin icon
profilegrid-user-profiles-groups-and-communities
Fixed in 4.7.5

References

CVE
CVE-2022-0233
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0233

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Big Tiger
Verified
Yes
WPVDB ID
5c948e04-d998-4032-85a9-1d9a42b3e160

Timeline

Publicly Published
2022-01-18 (about 4 years ago)
Added
2022-01-18 (about 4 years ago)
Last Updated
2022-04-08 (about 4 years ago)

Other

Published
Title
Published
2025-12-12
Title
Popup Builder – Create highly converting, mobile friendly marketing popups. < 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-03-20
Title
FuseDesk <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute
Published
2024-01-31
Title
MW WP Form < 5.1.0 - Editor+ Stored XSS
Published
2025-06-19
Title
Inventory Presser < 15.2.7 - Admin+ Stored XSS
Published
2024-12-11
Title
Restaurant & Cafe Addon for Elementor < 1.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting