WordPress Plugin Vulnerabilities

UserPro < 4.9.35.1 - Unauthenticated Reflected XSS

Description

Edit (WPscanTeam):
August 26th, 2019 - Envato Notified
September 2nd, 2019 - v4.9.34 released, still vulnerable
September 24th, 2019 - v4.9.35 and 4.9.35.1 released, fixing the issue

Proof of Concept

Affects Plugins

Plugin icon
userpro
Fixed in 4.9.35.1

References

CVE
CVE-2019-14470
Exploitdb
47304
URL
https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
5e3e0c4f-a7aa-4d66-b78b-fd836b869a5b

Timeline

Publicly Published
2019-08-25 (about 6 years ago)
Added
2019-08-26 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-10-18
Title
WordPress Popular Posts < 6.3.3 - Contributor+ Stored XSS
Published
2020-08-10
Title
Very Simple Quiz - Multiple Authenticated Stored Cross-Site Scripting (XSS)
Published
2025-04-01
Title
Gosign – Posts Slider Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-04-13
Title
Jupiter X Core < 4.14.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2023-10-17
Title
Seriously Simple Stats < 1.5.2 - Reflected XSS