WordPress Plugin Vulnerabilities

Author Avatars List/Block < 2.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Author Avatars List/Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
author-avatars
Fixed in 2.1.24

References

CVE
CVE-2025-22804
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0725a122-9ad3-45bf-bf80-80881520634a

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
SOPROBRO
Verified
No
WPVDB ID
91fa2f11-80f7-4c34-9bfa-f2870df36d3d

Timeline

Publicly Published
2025-01-07 (about 1 year ago)
Added
2025-01-14 (about 1 year ago)
Last Updated
2025-01-14 (about 1 year ago)

Other

Published
Title
Published
2024-06-14
Title
Shariff Wrapper < 4.6.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2026-05-12
Title
Cost of Goods: Product Cost & Profit Calculator for WooCommerce < 4.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-02-21
Title
Simple Theme Options < 1.7 - Admin+ Stored Cross-Site Scripting
Published
2025-11-04
Title
Ohio Extra < 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-09-25
Title
Cookie Notice & Consent < 1.6.1 - Admin+ Stored XSS