The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Note: This is a BuddyPress addon plugin. [youzify_author_box user_id='1' layout='" onmouseover="alert(1)" style="background:red;width:100px;height:100px;"']
Lana Codes
Lana Codes
Yes
2023-01-24 (about 8 months ago)
2023-01-24 (about 8 months ago)
2023-01-24 (about 8 months ago)