WordPress Plugin Vulnerabilities

User Activation Email <= 1.3.0 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting via the uae-key parameter found in the ~/user-activation-email.php file which allows attackers to inject arbitrary web scripts

Affects Plugins

Plugin icon
user-activation-email
No known fix

References

CVE
CVE-2021-38325
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38325

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
p7e4
Verified
No
WPVDB ID
d3366099-c920-4048-b07a-3e7f4b3f8cff

Timeline

Publicly Published
2021-09-08 (about 4 years ago)
Added
2021-09-09 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-10-16
Title
Tab Ultimate < 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-10-20
Title
Carousel, Recent Post Slider and Banner Slider < 2.1 - Contributor+ Stored Cross-Site Scripting
Published
2024-01-09
Title
Happy Elementor Addons < 3.10.1 - Contributor+ Stored Cross-Site Scripting
Published
2021-04-13
Title
Elementor - Header, Footer & Blocks Template < 1.5.8 - Contributor+ Stored XSS
Published
2025-05-07
Title
DoFollow Case by Case < 3.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting