WordPress Plugin Vulnerabilities

ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape the ‘wp_user_cover_default_image_url parameter before outputting it to the pages on the site, allowing an authenticated (admin+) user to inject arbitrary web scripts even when unfiltered_html has been disabled (such as in a multisite setup.)

Affects Plugins

Plugin icon
wp-user-avatar
Fixed in 4.5.1

References

CVE
CVE-2022-4697
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-avatar/profilepress-450-authenticated-administrator-stored-cross-site-scripting

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
ed61610a-d388-4b27-a3ec-c0a38ae6f378

Timeline

Publicly Published
2022-12-23 (about 3 years ago)
Added
2022-12-26 (about 3 years ago)
Last Updated
2022-12-26 (about 3 years ago)

Other

Published
Title
Published
2025-01-29
Title
Responsive Blocks – WordPress Gutenberg Blocks < 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via section_tag Parameter
Published
2024-07-11
Title
Premium Addons for Elementor < 4.10.37 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Animated Text Widget
Published
2025-06-05
Title
WebHotelier < 1.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-15
Title
Upload File Type Settings <= 1.1 - Admin+ Stored XSS
Published
2025-08-13
Title
Billplz Addon for Contact Form 7 < 1.2.1 - Reflected Cross-Site Scripting