ProfilePress < 3.1.11 - Cross-Site Scripting

Short Info

Level

Medium

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

1 week 22 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

The ProfilePress plugin for WordPress before 3.1.11 is vulnerable to unauthenticated reflected cross-site scripting (XSS) via the tabbed login/register widget due to improper escaping of user input. Attackers can inject arbitrary JavaScript via the tabbed-login-name parameter.

References:

https://wpscan.com/vulnerability/25b51add-197c-4aff-b1a8-b92fb11d8697/
https://plugins.trac.wordpress.org/changeset/2561271/wp-user-avatar
https://nvd.nist.gov/vuln/detail/CVE-2021-24522

Remediation:
Update the ProfilePress plugin to version 3.1.11 or later.

Get started to protecting your digital assets

Start trial See the plans

ProfilePress < 3.1.11 - Cross-Site Scripting

Short Info

-

Detail

Category