ProfilePress < 3.1.11 - Cross-Site Scripting

Short Info

Level

Medium

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

10 days 23 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

The ProfilePress plugin for WordPress before 3.1.11 is vulnerable to unauthenticated reflected cross-site scripting (XSS) via the tabbed login/register widget due to improper escaping of user input. Attackers can inject arbitrary JavaScript via the tabbed-login-name parameter.

References:

https://wpscan.com/vulnerability/25b51add-197c-4aff-b1a8-b92fb11d8697/
https://plugins.trac.wordpress.org/changeset/2561271/wp-user-avatar
https://nvd.nist.gov/vuln/detail/CVE-2021-24522

Remediation:
Update the ProfilePress plugin to version 3.1.11 or later.

Get started to protecting your digital assets

Start trial See the plans

ProfilePress < 3.1.11 - Cross-Site Scripting

Short Info

-

Detail

Category