RSS   Vulnerabilities for 'Profilepress'   RSS

2021-08-09
 
CVE-2021-24522

CWE-79
 

 
The User Registration, User Profile, Login & Membership �?? ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values.

 
2021-08-02
 
CVE-2021-24450

CWE-79
 

 
The User Registration, User Profiles, Login & Membership ??�??�?? ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue

 

 >>> Vendor: Profilepress 4 Products
Wp-user-avatar
Profilepress
Loginwp
User registration\, login form\, user profile \& membership


Copyright 2024, cxsecurity.com

 

Back to Top